The Ragnar Locker ransomware group has breached at least 52 entities from various critical infrastructure organisations in the United States, according to a joint TLP: White flash alert put out by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA).
The group works as part of a ransomware family and often changes its obfuscation techniques to avoid detection and prevention. The flash error, in particular, focuses on providing information on any potential indicators which can be used to detect and block the group’s ransomware.
These IOCs or indicators of compromise include information on attack infrastructure, bitcoin addresses used to collect ransoms, and any email addresses used by the group.
Sending Ragnar to Valhalla
While the FBI first discovered Ragnar Locker in April 2020, the group’s ransomware payloads were initially observed in attacks during late December 2019. The operators terminate any remote management software such as ConnectWise or Kaseya running on the machine to manage client systems remotely on compromised enterprise networks.
This approach helps them avoid detection while at the same time ensuring that the remote logged-in admins do not interfere with the ransomware or block it by any means.
The FBI has asked system admins and network administrators who have come across Ragnar Locker activity to share any related information with the local FBI Cyber Squad. This information includes copies of the ransom notes, demands, timelines of any malicious activity, payload samples, and other related information.
Since there’s no guarantee that an affected network will be safe from future attacks or leaks of stolen data, the FBI has advised against paying the group. Instead, the bureau believes that it’ll only motivate Ragnar Locker and other ransomware groups to target more victims further and incentivise other groups to hop on to the ransomware bus as well.
That’s not to say that the FBI doesn’t acknowledge the damage these attacks cost. The flash alert also included mitigation measures to block any such attacks and asked that victims report such incidents to local field offices.