RagnarLocker targets critical infrastructure and bypasses security


Threat actors have pressed RagnarLocker for action to target critical infrastructure (CI) – the FBI identifying at least 52 entities in 10 CI sectors, including manufacturing, energy and government, since January.

The agency warned in a alert that “RagnarLocker ransomware actors operate as part of a family of ransomware, frequently changing obfuscation techniques to evade detection and prevention”.

RagnarLocker, which first made it onto the FBI’s radar in April 2020, is known to encrypt files of interest to operators by selecting folders they won’t encrypt, which “allows the computer to continue operating normally. while the malware encrypts files with known and unknown names”. extensions containing data of value to the victim,” the FBI said.

It “also uses the Windows GetLocaleInfoW API to identify the location of the infected machine,” the agency warned. “If the location of the victim is identified as ‘Azerbaijani’, ‘Armenian’, ‘Belarusian’, ‘Kazakh’, ‘Kyrgyz’, ‘Moldovan’, ‘Tajik’, ‘Russian’, ‘Turkmen’, ‘Uzbek’ , “Ukrainian’ or ‘Georgian’, the process ends.

The alert lists a number of IOCs associated with RagnarLocker as of January 2022.

“A concern should be that this new ransomware variant may be the payload of one of the recent device exploits discovered. , others creating payloads like RagnarLocker and others managing the command and control centers that run the payload and deliver the ransomware notices,” said Garret Grajek, CEO of YouAttest.

The FBI alert highlighted that current security solutions may not be sufficient, said Sanjay Raja, vice president of product marketing and solutions at Gurucul. “As RagnarLocker is not a new ransomware, it shows that current Endpoint, XDR and SIEM solutions do not allow organizations to successfully detect and remediate these attacks,” Raja said.

“Threat actors continue to tweak their techniques slightly to evade poorly designed rules-based artificial intelligence and limited machine learning models to detect slight variations in attacks using existing malware or ransomware” , did he declare. “Malicious actor groups using RagnarLocker, thanks to the mechanism of selecting what not to encrypt, have managed to evade detection by traditional methods. This highlights the need for a large number of models Self-trained machine learning machines that can detect emerging attacks and variants without having to be constantly updated.

The FBI reiterated its recommendation not to pay ransomware because it can “embold adversaries into targeting other organizations, encourage other criminal actors to engage in ransomware distribution, or fund illicit activities.” But the agency said whether an organization pays or not, it should report any incidents.

Being proactive against ransomware attacks, including RagnarLocker and others, is of course more prudent. “As with most problems, it is better to avoid than to remedy. According to the X-Force Threat Intelligence Index, the number one initial attack vector for ransomware is scanning open networks and exploiting them.

“The de-perimeterization of enterprise networks with the advent of cloud and SaaS applications has eroded infrastructure control for IT organizations,” said Rajiv Pimplasker, CEO of Dispersive Holdings, Inc. “As geopolitical events show governments, critical infrastructure industries, and enterprises also need to ensure zero-trust policies, even at the network level, and traditional IPsec encryption alone is not enough to protect the integrity and confidentiality of communications sensitive.

And Grajek advised, “The key to mitigation is a strong defense on both devices and identities around access to crucial resources, as a privilege escalation is usually part of the attacker’s execution plan. “


Comments are closed.