In the US, the FBI has issued an alert about the RagnarLocker ransomware group targeting at least 52 entities across 10 critical infrastructure sectors. The FBI recently released a flash alert, warning users and organizations in the US to remain vigilant about the RagnarLocker ransomware group's growing footprint. "As of January, the FBI has identified at least 52 entities across 10 critical infrastructure sectors affected by RagnarLocker ransomware, including entities in the critical manufacturing, energy, financial services, government, and information technology sectors," the alert says.
See: https://redskyalliance.org/xindustry/don-t-friend-ragnar-locker-ransomware-gang-on-facebook
The FBI, in its technical analysis, says that the ransomware group is known for frequently changing its obfuscation methods to avoid detection, and focuses on geo-targeting. To achieve this, the FBI says that operators of RagnarLocker use a Windows API GetLocaleInfoW. The API helps them identify the location of the infected machine, and if the victim's location is identified as Azerbaijani, Armenian, Belarus, Kazakhstan, Kyrgyzstan, Moldavia, Tajikistan, Russia, Turkmenistan, Uzbekistan, Ukraine or Georgia, then the process of a ransomware infection is automatically terminated.
When it comes to deployment, "RagnarLocker uses VMProtect, UPX, and custom packing algorithms and deploys within an attacker's custom Windows XP virtual machine on a target's site," the alert says. According to the FBI, RagnarLocker also uses other Windows APIs, such as CreateFileW, DeviceIoControl, GetLogicalDrives and SetVolumeMountPointA, to identify all attached hard drives. It then assigns a drive letter to those that have not been assigned a logical drive letter and makes them accessible. "These newly attached volumes are later encrypted during the final stage of the binary," the alert says.
RagnarLocker ransomware operators have been sophisticated in choosing geo-targets and in analyzing the victim's system by using several Windows APIs. "Instead of choosing which files to encrypt, RagnarLocker chooses which folders it will not encrypt. Taking this approach allows the computer to continue to operate normally while the malware encrypts files with known and unknown extensions containing data of value to the victim," the FBI says.
The FBI also shared a list of folders that are not encrypted by the malware:
- Windows
- old
- Mozilla
- Mozilla Firefox
- Tor browser
- Internet Explorer
- $Recycle.Bin
- Program Data
- Opera
- Opera Software
The RagnarLocker ransomware also does not encrypt files with extensions certain extensions; .db, .sys, .dll, .lnk, .msi, .drv, and .exe the FBI says in its alert.
Apart from the modus operandi and the technical analysis of the RagnarLocker ransomware family, the FBI, in its alert, also described other indicators of compromise for the group, such as IP addresses, Bitcoin addresses, and email addresses used by the group's operators.
Watch: https://redskyalliance.org/redshorts/encore-ragnar-locker-100720
In February 2022, security researchers from South Korea’s Kookmin University found a way to decipher Hive's encryption algorithm without using the master key. "To the best of our knowledge, this is the first successful attempt at decrypting the Hive ransomware," the researchers say in the report.[1]
Their experiment showed that more than 95% of the keys used in encryption could be recovered due to a cryptographic flaw they discovered during analysis. This led to the researchers finding a method for decrypting encrypted files without using the attacker's private key. The researchers say, was possible since they found that the Hive ransomware does not use all bytes of the master key encrypted with the public key. "Using our proposed method, more than 95% of the master key used for generating the encryption keystream was recovered. Most of the infected files could be recovered by using the recovered master key. We expect that our method will be helpful for individuals and enterprises damaged by the Hive ransomware," the researchers say.
"While it may seem like ransomware is unavoidable and being prepared to respond to an infection is important, there are preventive measures that organizations can take to reduce the risk of becoming a victim," says Tim Erlin, vice president of strategy at software company Tripwire. "Attackers have to find a way to install their preferred flavor of ransomware on your systems and shutting down common attack vectors will reduce the risk," he says.
Erlin says that attackers will take advantage of insecurely configured and vulnerable systems: "A noncritical system may provide the attacker with an initial foothold from which they can expand and move laterally."
See: https://redskyalliance.org/xindustry/emerging-ransomware-groups-replace-old-favorites
It is up to all organizations to take steps and adopt procedures to protect themselves from ransomware attacks. No government can stop these attacks except for the counties that are sponsoring or benefitting from the ransom payments.
The following is what Red Sky Alliance recommends:
- All data in transmission and at rest should be encrypted.
- Proper data backup and off-site storage policies should be adopted and followed.
- Implement 2-Factor authentication-company-wide.
- For USA readers, join and become active in your local Infragard chapter, there is no charge for membership. infragard.org
- Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Recommend/require cyber security software, services, and devices to be used by all at-home working employees and consultants.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Ensure that all software updates and patches are installed immediately.
- Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on ten (10) cyber threat categories including Keyloggers, with having to connect to your network.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
- Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://www.bankinfosecurity.com/ransomware-groups-target-global-critical-infrastructure-a-18678
Comments