A prolific ransomware variant has compromised at least 52 critical national infrastructure (CNI) entities, a new FBI report has revealed.
In a new Flash update, the Feds claimed that organizations in 10 CNI sectors had been impacted as of January this year, including manufacturing, energy, financial services, government and IT.
Although the group has changed its tools, techniques and procedures (TTPs) to stay hidden over the past two years, the FBI said attackers typically use VMProtect, UPX and custom packing algorithms and deploy a custom Windows XP virtual machine on the victim’s site.
“RagnarLocker iterates through all running services and terminates services commonly used by managed service providers to remotely administer networks. The malware then attempts to silently delete all Volume Shadow Copies, preventing user recovery of encrypted files,” the report explained.
“Lastly, RagnarLocker encrypts all available files of interest. Instead of choosing which files to encrypt, RagnarLocker chooses which folders it will not encrypt. Taking this approach allows the computer to continue to operate ‘normally’ while the malware encrypts files with known and unknown extensions containing data of value to the victim.”
Although the FBI first became aware of RagnarLocker in April 2020, the first known attacks date back to late 2019. During that time, the group and its affiliates have compromised a range of organizations, from beverage giant Campari Group to energy firm EDP and French shipping multinational CMA CGM.
The volume of CNI firms compromised by the group will be particularly concerning in light of the escalating geopolitical tensions between Russia and the US over the former’s invasion of Ukraine.
The RagnarLocker variant checks for the location of the victim machine and those in largely former Soviet countries are spared infection, hinting at the origin of the group.