Executive Summary of ragnar locker ransomware
Initially discovered in April 2020, Ragnar Locker is both ransomware and a ransomware gang. The threat actor has been on the Federal Bureau of Investigation's (FBI) radar since the gang breached 52 organizations across 10 critical infrastructure sectors. The critical industries that Ragnar Locker has breached include energy, manufacturing, financial services, government, and information technology.
Ragnar Locker is known for constantly switching up their obfuscation techniques to avoid detection and prevention, as well as deterring organizations from contacting law enforcement after a breach. Let’s take a look at Ragnar Locker’s tactics and techniques, and why it’s important to remember the dangers of paying the demanded ransom.
Although Ragnar Locker was discovered by the FBI in April 2020, the group has actually been active since December 2019. Ragnar Locker is both the name of the ransomware group and the name of the ransomware. The gang works as a part of a ransomware family, which means they are associated with several ransomware variants or threat actor groups.
Ragnar Locker is known for using the double extortion tactic, which involves threat actors exfiltrating sensitive data, then triggering the encryption attack, and ultimately threatening to leak the data if the demanded ransom isn’t paid. To avoid prevention and detection, the threat actor frequently changes their obfuscation techniques.
Ragnar Locker initiates their attacks by compromising the networks of companies through RDP service – using brute force to guess passwords or using stolen credentials purchased on the dark web. After compromising their target’s network, the threat actor elevates their privileges by exploiting CVE-2017-0213 found in Windows COM Aggregate Marshaler. According to Microsoft, CVE-2017-0213 is an elevation of privilege that allows attackers to run arbitrary code with elevated privileges. To exploit the vulnerability, the attacker runs a specially crafted application.
According to Acronis, to evade detection, Ragnar Locker will sometimes deploy a VirtualBox virtual machine (VM) with a Windows XP image – this is done to run the ransomware encryption attack (a technique adopted by Maze ransomware operators). Next, the image is loaded to the VirtualBox virtual machine, which maps all local drives as read/writable into the virtual machine. As a result, the ransomware process is able to run inside the VM to encrypt files. The host files recognize the encryption as a trusted VirtualBox process, which means that many security products will be ignored.
Next, Ragnar Locker deletes shadow copies and disables antivirus countermeasures, followed by using a PowerShell script to move from one company network to another. Before the ransomware is deployed, Ragnar Locker steals files and uploads them to servers before publishing them – this is done just in case their victim refuses to pay the demanded ransom. Obfuscation techniques protect the ransomware code, and those techniques include adding junk code in addition to encryption. The locale information is checked to avoid CIS countries from being infected.
Crypto keys and obfuscated configuration strings are stored in a payload PE file, which contains a section named “.keys”. The hardcoded obfuscated strings are decrypted in runtime and the first decrypted value is a unique sample ID. Strings related to backup and antivirus solutions are terminated, including Sophos and Veeam. Ragnar Locker also terminates remote management software tools such as Kaseya and ConnectWise, allowing the threat actor to evade detection and ensuring remotely logged-in admins don’t prevent the ransomware deployment process.
Remote management software is used by managed service providers (MSPs).
Additionally, Ragnar Locker leaves a ransomware note behind which provides the address of their leak site, live chat, and Ragnar Secret, which is a ‘company_id’ encoded with Base64. Ragnar Locker’s stolen data is published to their data leak site from the victim’s corporate network before running Ragnar Locker due to the ransomware not having network communication.
Interestingly, Ragnar Locker uses a Salsa20 encryption algorithm with a custom matrix. The matrix includes generated keys (placed in rearranged order) and is 64 bytes in size, with 8 bytes defining the stream position. Removing 16 bytes from the second key, Ragnar Locker leaves the stream position values with zero bytes. The encrypted Salsa20 key data can be found in the encrypted file, with the signature _RAGNAR_ added to the footer.
In August 2021, Avertium published a Threat Intelligence Report featuring BlackMatter ransomware. Like Ragnar Locker, the threat actor used a custom Salsa20 encryption algorithm in their attack against Kaseya. The ransomware gang, DarkSide also used a custom Salsa20 encryption algorithm.
BlackMatter began making its presence known as a ransomware-as-a-service (RaaS) gang in July 2021, claiming to be a combination of the best qualities of DarkSide and REvil – two ransomware groups that are now defunct. There was also speculation that BlackMatter was a rebrand of DarkSide and REvil because BlackMatter has utilized some of DarkSide and REvil’s tactics. DarkSide was responsible for the attack on the Colonial Pipeline, while REvil was responsible for the devastating attack on Kaseya.
While there is no observed direct link between Ragnar Locker, DarkSide, and BlackMatter, it’s important to note that the three groups are using custom Salsa20 encryption algorithms. One of two things is possible – because ransomware gangs like BlackMatter were so successful in the past, more ransomware gangs are starting to use custom Salsa20 encryption algorithms, or there is an undiscovered link between Ragnar Locker, BlackMatter, and DarkSide.
In November 2021, the video game giant, Capcom was breached by Ragnar Locker. The ransomware attack affected the company’s email and file servers and encrypted 1 TB of data. Capcom is a Japanese video game developer known for several multi-million-dollar game franchises, including Street Fighter and Resident Evil.
Capcom discovered their breach on November 2, 2021, and confirmed that the attack happened due to unauthorized access by a third party. Later in the month, the company confirmed that personal and corporate information (data of former employees, shareholders, store members, and website members) was compromised as well.
In addition to Capcom, Ragnar Locker attacked the North American network of Energias de Portugal in April 2021. The gang ended up stealing 10 TB of sensitive company / customer data and insisted on a ransom demand of 1,580 Bitcoin, which is the equivalent of $11 million. Ragnar Locker was also responsible for breaching the Italian liquor company, Campari Group.
Campari Group is known for their popular liquor brands, including SKYY Vodka, Wild Turkey, and Grand Marnier. On November 1, 2020, the threat actors stole 2 TB of unencrypted files and demanded a $15 million (in Bitcoin) ransom to recover the files. The files included bank statements, contractual agreements, emails, and much more. In December 2020, Ragnar Locker attacked the aviation giant, Dassault Falcon Jet, which is a subsidiary of the French aerospace company Dassault Aviation.
In April 2022, the FBI warned Food and Agriculture (FA) sector organizations that there is an increased risk of ransomware attacks that are more likely to take place during the harvest and planting seasons. Ransomware gangs target the U.S. constantly, but the FBI was concerned about several groups and possible attacks against FA organizations during critical seasons. The groups include BlackByte, Ragnar Locker, and Avoslocker – all having breached dozens of U.S. critical infrastructure.
The FBI is particularly concerned about attacks during the harvest and planting season because the attacks could lead to operation disruptions and have a negative impact on the global food supply chain. During the fall of 2021, there were ransomware attacks against six-grain cooperatives and two attacks in early 2022. The attacks could have impacted the planting season and disrupted the supply of seeds and fertilizer.
Attacking the agriculture sector is appealing to threat actors because they know that their targets will be more willing to pay the demanded ransom due to the time-sensitive nature of agriculture production. Take a look at the ransomware attacks that disrupted the operations of agriculture in recent years according to the FBI:
These kinds of attacks could impact the entire food chain. Grain is not just consumed by humans, but by animals as well. Also, significant disruption of corn and grain production will also impact commodities trading and stocks. The International Grains Council has already forecasted that global corn production will drop by 13 million tons in 2022-2023. Critical infrastructure attacks by ransomware gangs don’t just cost organizations time and money, they could cost the world its food supply.
Image 2: Ragnar Locker's Warning
Ragnar Locker makes threats against organizations that contact the FBI and heavily encourages their victims to stay quiet. Their letter above states that contacting the FBI doesn’t make the negotiating process safe or easy. They also stated that negotiation companies often work directly with the FBI, so they discourage victims from reaching out to them as well. If victims contact either, the ransomware gang will consider it “hostile intent” and will publish their victims’ stolen data immediately. Ragnar Locker also makes it clear that if you contact law enforcement or a data recovery company and lie to them about it, they’ll know and will act accordingly.
Although Ragnar Locker makes some pretty strong and aggressive threats, the FBI discourages organizations from paying the ransom. Their warning stated that paying a ransom only encourages threat actors to target additional organizations and gives the green light for other cyber criminals to continue to distribute ransomware. Paying the ransom also helps fund the adversary’s illicit activities.
After being breached, most organizations panic and try to keep their breach under wraps by quietly negotiating a ransom payment. Sometimes, they will use a negotiation service company to help them with this feat. However, Coveware, a ransomware negotiation company, has found that ransomware gangs aren’t staying true to their word, and they are increasingly not deleting stolen data after ransoms are paid.
While it’s understood that your business operations may be disrupted or even be completely non-functioning, it’s always best to report ransomware incidents to the FBI immediately. The FBI has investigators and analysts, and they need critical information to help track the ransomware attackers, hold them accountable, and prevent future attacks. Field office contacts can be located at http://www.fbi.gov/contact-us/field-offices.
Even with anti-malware solutions installed, Ragnar Locker is a great risk to organizations. As you can see, the Ragnar Locker ransomware gang uses advanced defense-evasion techniques to bypass anti-virus software. However, Avertium has advanced services that can help keep your organization safe:
Avertium and the FBI recommend the following for mitigation against Ragnar Locker ransomware:
Avertium and the FBI recommend the following guidelines for general ransomware attacks:
Bitcoin Addresses
IP Addresses
File Hashes
Websites
Threat Actor Profile – “BlackMatter” Ransomware (avertium.com)
Analysis of Ragnar Locker Ransomware (acronis.com)
FBI Warns of Cyberattacks and Production Drop Forecast for Corn - AG INFORMATION NETWORK OF THE WEST
Ragnar Locker Gang Warns Victims Not to Call the FBI | Threatpost
CVE-2017-0213 - Security Update Guide - Microsoft - Windows COM Elevation of Privilege Vulnerability
Ransom.Ragnar | Malwarebytes Labs | Detections
Campari hit by Ragnar Locker Ransomware, $15 million demanded (bleepingcomputer.com)
Microsoft Word - PIN-20220420-001 TLP_WHITE (ic3.gov)
FBI warns of ransomware attacks targeting United States agriculture sector (bleepingcomputer.com)
Gaming Giant Capcom Hit By Ragnar Locker Ransomware: Report | Threatpost
FBI: Ransomware gang breached 52 United S critical infrastructure orgs (bleepingcomputer.com)
BlackMatter Ransomware Analysis; The Dark Side Returns (trellix.com)
FBI issues IoCs to help organizations defend against RagnarLocker ransomware (scmagazine.com)
Microsoft Word - PIN-20220420-001 TLP_WHITE (ic3.gov)
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.
COPYRIGHT: Copyright © Avertium, LLC and/or Avertium Tennessee, Inc. | All rights reserved.