Uprising Ragnar Locker Ransomware
Ragnar ransomware was touted to be one of the toughest groups to tackle since it follows new techniques to evade detection and uses clever means to encrypt systems. The US FBI’s alert released just yesterday says the same. The flash alert MU-000140-MW notes how this malicious gang attacks any company, spread laterally and encrypts systems.
FBI’s alert also mentioned an unnamed victim of Ragnar group, who was said to be demanded about $11 million in terms of Bitcoins by threatening to leak 10TB of stolen data. While it goes unnamed, it’s clearly pointing to the EDP energy company that has been a victim of Ragnar ransomware back in April. It’s said to be actively targeting companies in the fields of cloud service, communication, construction, travel, and enterprise software companies. The threat actors manually deploy their ransomware payloads after gaining access to the targeted system. This lets them search the backups, networks connected to the compromised system. Further, it will be switching the dumping payload methods to evade detection and kill those services run by managed service providers – all to gain remote access to the target system. After compromising, its malware adds the “RGNR_” extension everywhere. Also, it’s able to drop customized ransomware notes and features an RSA-2048 encryption key. Finally, it has made its own data leak portal in the dark web, which lists out all the victims, and threatens to leak their data if they don’t pay. The alert contains all Indicators of Compromise to detect and measures to safeguard against the Ragnar Locker ransomware.