10 March 2022 at 15:40 UTC
Updated: 11 March 2022 at 11:17 UTC
Agency issues mitigation advice to help organizations tighten network defenses
The FBI says it has identified at least 52 critical infrastructure entities infected by RagnarLocker ransomware since it arrived on the cybercrime scene nearly two years ago.
RagnarLocker threat actors and variants have impacted organizations operating in 10 sectors classified as critical infrastructure, including energy, financial services, government, information technology, and vital manufacturing operations, said the US law enforcement agency.
Via a flash alert (PDF) issued on March 7, the FBI has also shared indicators of compromise (IoCs) to supplement the guidance it previously disseminated after RagnarLocker emerged in April 2020.
The law enforcement agency noted how RagnarLocker uses the Windows API GetLocaleInfoW to identify the location of an infected machine, in order to halt potential attacks against organizations operating in Russia, Ukraine, Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Kyrgyz, Moldova, Tajikstan, Turkmenistan, Uzbekistan, and Georgia.
While the malware itself curtails attacks in countries within Russia’s sphere of influence, Tim Erlin, vice president of strategy at cybersecurity software company Tripwire, said “it’s a mistake to conflate the tool used with the actor executing that tool.
“There are certainly cases where the threat actor and the tool are closely associated, but without clear evidence, it’s an assumption.”
RagnarLocker favors the in-vogue ‘double extortion’ tactic, where in addition to the inducement of decrypting compromised data, attackers also threaten to leak sensitive information if ransom demands are not met.
The FBI noted that “instead of choosing which files to encrypt, RagnarLocker chooses which folders it will not encrypt. Taking this approach allows the computer to continue to operate ‘normally’ while the malware encrypts files with known and unknown extensions containing data of value to the victim”.
The FBI issued its usual advice that victim organizations should not pay ransoms to cybercriminals, as it funds and incentivize further attacks and does not guarantee data recovery.
The agency also urged organizations to report ransomware incidents to their local FBI field office, and bolster their defenses with the help of the Cybersecurity and Infrastructure Security Agency’s (CISA’s) Stop Ransomware resource, MS-ISAC Joint Ransomware Guide (PDF), and Ransomware Readiness Assessment (RRA), a module within its Cyber Security Evaluation Tool (CSET).