RagnarLocker Targets Critical Infrastructure, Sidestepping Security
Threat actors have pressed RagnarLocker into action to target critical infrastructure (CI)—with the FBI identifying at least 52 entities across 10 CI sectors, including manufacturing, energy and government, since January.
The agency warned in an alert that “RagnarLocker ransomware actors work as part of a ransomware family, frequently changing obfuscation techniques to avoid detection and prevention.”
RagnarLocker, which first made the FBI’s radar in April 2020, is known for encrypting files the operators are interested in by selecting the folders they will not encrypt, which “allows the computer to continue to operate normally while the malware encrypts files with known and unknown extensions containing data of value to the victim,” the FBI said.
It also “uses Windows API GetLocaleInfoW to identify the location of the infected machine,” the agency warned. “If the victim location is identified as ‘Azerbaijani,’ ‘Armenian,’ ‘Belorussian,’ ‘Kazakh,’ ‘Kyrgyz,’ ‘Moldavian,’ ‘Tajik,’ ‘Russian,’ ‘Turkmen,’ ‘Uzbek,’ ‘Ukrainian’ or ‘Georgian’ the process terminates.”
The alert lists a number of IOCs that were associated with RagnarLocker as of January 2022.
“A concern must be that this new ransomware variant can be the payload in any of the recent device exploits discovered. One must remember that the hackers are now working in a federated state—with some focused on discovering vulnerabilities, others creating payloads like RagnarLocker and others manning the command and control centers that execute payload and deliver the ransomware notices,” said Garret Grajek, CEO at YouAttest.
The FBI alert underscored that current security solutions may not be sufficient, said Sanjay Raja, vice president of product marketing and solutions at Gurucul. “As RagnarLocker is hardly new ransomware, it shows that current Endpoint, XDR and SIEM solutions are failing organizations in detecting and remediating these attacks successfully,” Raja said.
“Threat actors continue to slightly modify their techniques to evade poorly designed rule-based artificial intelligence and limited black-box machine learning models for detecting slight variations in attacks using existing malware or ransomware,” he said. “The threat actor groups using RagnarLocker, through the mechanism of selecting what not to encrypt has managed to evade detection through traditional methods. This highlights the need for a large number of automatically trained machine learning (ML) models that can detect emerging attacks and variants without having to be constantly updated.”
The FBI reiterated its recommendation not to pay ransomware because it can “embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, or fund illicit activities.” But the agency said regardless of whether an organization pays they should report any incidents.
Being proactive against ransomware attacks, including RagnarLocker and others is, of course, more prudent. “As with most problems, avoidance is better than remediation. According to the X-Force Threat Intelligence Index, the number-one initial attack vector for ransomware is to scan open networks and exploit.
“The deperimeterization of the corporate networks with the advent of cloud and SaaS applications has eroded infrastructure control for IT organizations,” said Rajiv Pimplasker, CEO at Dispersive Holdings, Inc. “As current geopolitical news events show, governments, critical infrastructure industries and enterprises alike need to assure zero-trust strategies even at the network level and traditional IPsec encryption alone is not enough to safeguard the integrity and privacy of sensitive communications.”
And Grajek advised, “The key to mitigation is a strong defense on both the devices and the identities around the access to crucial resources since a privilege escalation is usually part of the hacker’s execution plan.”
