RagnarLocker Targets Critical Infrastructure, Sidestepping Security

Threat actors have pressed RagnarLocker into action to target critical infrastructure (CI)—with the FBI identifying at least 52 entities across 10 CI sectors, including manufacturing, energy and government, since January.

The agency warned in an alert that “RagnarLocker ransomware actors work as part of a ransomware family, frequently changing obfuscation techniques to avoid detection and prevention.”

RagnarLocker, which first made the FBI’s radar in April 2020, is known for encrypting files the operators are interested in by selecting the folders they will not encrypt, which “allows the computer to continue to operate normally while the malware encrypts files with known and unknown extensions containing data of value to the victim,” the FBI said.

It also “uses Windows API GetLocaleInfoW to identify the location of the infected machine,” the agency warned. “If the victim location is identified as ‘Azerbaijani,’ ‘Armenian,’ ‘Belorussian,’ ‘Kazakh,’ ‘Kyrgyz,’ ‘Moldavian,’ ‘Tajik,’ ‘Russian,’ ‘Turkmen,’ ‘Uzbek,’ ‘Ukrainian’ or ‘Georgian’ the process terminates.”

The alert lists a number of IOCs that were associated with RagnarLocker as of January 2022.

“A concern must be that this new ransomware variant can be the payload in any of the recent device exploits discovered. One must remember that the hackers are now working in a federated state—with some focused on discovering vulnerabilities, others creating payloads like RagnarLocker and others manning the command and control centers that execute payload and deliver the ransomware notices,” said Garret Grajek, CEO at YouAttest.

The FBI alert underscored that current security solutions may not be sufficient, said Sanjay Raja, vice president of product marketing and solutions at Gurucul. “As RagnarLocker is hardly new ransomware, it shows that current Endpoint, XDR and SIEM solutions are failing organizations in detecting and remediating these attacks successfully,” Raja said.

“Threat actors continue to slightly modify their techniques to evade poorly designed rule-based artificial intelligence and limited black-box machine learning models for detecting slight variations in attacks using existing malware or ransomware,” he said. “The threat actor groups using RagnarLocker, through the mechanism of selecting what not to encrypt has managed to evade detection through traditional methods. This highlights the need for a large number of automatically trained machine learning (ML) models that can detect emerging attacks and variants without having to be constantly updated.”

The FBI reiterated its recommendation not to pay ransomware because it can “embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, or fund illicit activities.” But the agency said regardless of whether an organization pays they should report any incidents.

Being proactive against ransomware attacks, including RagnarLocker and others is, of course, more prudent. “As with most problems, avoidance is better than remediation. According to the X-Force Threat Intelligence Index, the number-one initial attack vector for ransomware is to scan open networks and exploit.

“The deperimeterization of the corporate networks with the advent of cloud and SaaS applications has eroded infrastructure control for IT organizations,” said Rajiv Pimplasker, CEO at Dispersive Holdings, Inc. “As current geopolitical news events show, governments, critical infrastructure industries and enterprises alike need to assure zero-trust strategies even at the network level and traditional IPsec encryption alone is not enough to safeguard the integrity and privacy of sensitive communications.”

And Grajek advised, “The key to mitigation is a strong defense on both the devices and the identities around the access to crucial resources since a privilege escalation is usually part of the hacker’s execution plan.”

Avatar photo

Teri Robinson

From the time she was 10 years old and her father gave her an electric typewriter for Christmas, Teri Robinson knew she wanted to be a writer. What she didn’t know is how the path from graduate school at LSU, where she earned a Masters degree in Journalism, would lead her on a decades-long journey from her native Louisiana to Washington, D.C. and eventually to New York City where she established a thriving practice as a writer, editor, content specialist and consultant, covering cybersecurity, business and technology, finance, regulatory, policy and customer service, among other topics; contributed to a book on the first year of motherhood; penned award-winning screenplays; and filmed a series of short movies. Most recently, as the executive editor of SC Media, Teri helped transform a 30-year-old, well-respected brand into a digital powerhouse that delivers thought leadership, high-impact journalism and the most relevant, actionable information to an audience of cybersecurity professionals, policymakers and practitioners.

teri-robinson has 196 posts and counting.See all posts by teri-robinson

Cloud Workload Resilience PulseMeter

Step 1 of 8

How do you define cloud resiliency for cloud workloads? (Select 3)(Required)