The popularity of ransomware threats does not seem to be decreasing. Instead, more and sophisticated ransomware threats are being deployed. Ragnar Locker is a new data encryption malware in this style.
The actors behind Ragnar Locker partnered with the Maze ransomware gang as a means of extorting victims whose unencrypted data they had stolen. This continued cooperation between ransomware gangs is a dangerous development. The sharing of advice. Tactics and a centralized data leak platform between different ransomware operations will only enable these actors to perform more advanced attacks and demand higher ransom payments.
Ragnar Locker is ransomware that affects devices running Microsoft Windows operating systems. It was initially observed towards the end of December 2019 as part of a series of attacks against compromised networks.
In general, this malware is deployed manually after an initial compromise, network reconnaissance and pre-deployed tasks on the network. This shows that this is a more complex operation than most ransomware propagation campaigns.
Before starting the Ragnar Locker ransomware, attackers inject a module capable of collecting sensitive data from infected machines and upload it to their servers. Next, threat actors behind the malware notify the victim the files will be released to the public if the ransom is not paid.
There is a group of steps executed by Ragnar Locker operators every time an organization or infrastructure is impacted. Digging into the details, attackers first compromise networks, infrastructures, and organizations using found vulnerabilities or through social engineering such as phishing attacks, spearphishing and Business Email Compromise attacks.
During the compromise process, reconnaissance, pre-deployment tasks, and data exfiltration are performed before executing the piece of ransomware. Each malware sample is unique, with the specific ransom note hardcoded inside the malware. The affected group name, the links to the bitcoin wallet, and the links to a dark web blog are embedded inside the binary
When the ransomware starts, it enumerates running processes and stops if some of these services contain specific strings, such as:
Vss, sql, memtas, mepocs, Sophos, veeam, backup, pulseway, logme, logmein, connectwise, splashtop, Kaseya
Ransomware in this line often disables some services as a way to bypass security protections and also database and backup systems to increase the impact of the attack. Also, database and mail services are stopped so that their data can be encrypted during the infection process. One of the particularities that spotlight Ragnar Locker is that it is targeting specifically remote management software often used by managed service providers (MSPs), such as the popular ConnectWise and Kaseya software.
Ragnar Locker adds the hardcoded extension “.ragnar_*” appended to the end of the file name and “*” is replaced by a generated and unique ID. All the available files inside physical drives are encrypted and, in the end, the notepad.exe process is opened and showing the ransom note file created on the victim’s system directory
We are living in an era where ransomware continues to grow, and the number of attacks has increased especially during the COVID-19 pandemic. There is no magic solution to prevent attacks of this nature, however, there is a set of good practices that can be applied in order to minimize the impact of data encryption attack.
- The use of an antivirus is mandatory. This software should be regularly updated
- Patch updates regularly and update all the software including operating systems, network devices, applications, mobile phones and other software if applicable
- Maintain a proper backup and restore mechanism and made it mandatory
- Regularly test the recovery function of backup and restore procedures and also test the data integrity of backups
- Conduct simulated ransomware preparedness tests. This is a rule of thumb to check the response of your ecosystem against these kinds of attacks
- If you use Microsoft Office, install Microsoft Office viewers and always keep macros disabled by default
- Limit access to mapped drives whenever possible and keep file sharing disabled by default. In general, ransomware looks into shared drives and encrypts files available on the network
- Don’t enable remote services. The organizations with RDP, VPN, proxies and servers are to be provided with better IT security standards
Security awareness training should be introduced in order to improve cyber education. The download of anything from untrusted sources should be flagged in our mind as a dangerous task.
Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941