Threat Signal Report

FBI Releases Updated Indicators of Compromise for RagnarLocker Ransomware

Description

FortiGuard Labs is aware that the U.S. Federal Bureau of Investigation (FBI) released the updated indicators of compromise (IOCs) for RagnarLocker (Ragnar_Locker) Ransomware on March 8th, 2022. The report states "As of January 2022, the FBI has identified at least 52 entities across 10 critical infrastructure sectors affected by RagnarLocker ransomware, including entities in the critical manufacturing, energy, financial services, government, and information technology sectors."

The first sighting of the ransomware goes back to at least February, 2020. RagnarLocker ransomware employs triple extortion tactics: it demands ransom after encrypting files, threatens to publicize stolen data and to stop DDoS (Distributed Denial of Service) attack against the victim.

Why is this Significant?

This is significant because the FBI is aware that more than 50 organizations across 10 critical infrastructure sectors were affected by RagnarLocker ransomware. The fact the FBI has made additional IOCs available to the public insinuates that RagnarLocker will continue to be active and will likely produce more victims.

What is RagnarLocker Ransomware?

The first report of RagnarLocker (Ragnar_Locker) ransomware dates back to as early as February 2020.

Just like any other ransomware, RagnarLocker encrypts files on the compromised machine and steals valuable data. It also deletes all Volume Shadow Copies, which prevents recovery of the encrypted files. Although there are some exceptions, files encrypted by RagnarLocker ransomware generally have a file extension that starts with .ragnar_ or ragn@r_ followed by random characters.

On top of usual ransom demand to decrypt the files it encrypted, the ransomware threatens to publicize the data it stole from the victim if the ransom demand is not met. The RagnarLocker threat actors also adds pressure to the victim to pay the ransom by performing DDoS (Distributed Denial of Service) attack against the victim.

One notable thing about this ransomware is that it has code to check the location of the computer before encryption process starts. If the computer belongs Russia, Azerbaijan, Armenia, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Tajikistan, Turkmenistan, Uzbekistan and Ukraine, the ransomware terminates itself.

What are the Mitigations for RagnarLocker Ransomware?

The following are the mitigations recommended by FBI:

• Back-up critical data offline.
• Ensure copies of critical data are in the cloud or on an external hard drive or storage device. This information should not be accessible from the compromised network.
• Secure your back-ups and ensure data is not accessible for modification or deletion from the system where the data resides.
• Use multi-factor authentication with strong passwords, including for remote access services.
• Keep computers, devices, and applications patched and up-to-date.
• Monitor cyber threat reporting regarding the publication of compromised VPN login credentials and change passwords and settings.
• Consider adding an email banner to emails received from outside your organization.
• Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
• Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
• Implement network segmentation.

What is the Status of Coverage?

FortiGuard Labs provide the following AV coverage against RagnarLocker ransomware:

Linux/Filecoder_RagnarLocker.A!tr

W32/RagnarLocker.43B7!tr.ransom

W32/Filecoder_RagnarLocker.A!tr

W32/RagnarLocker.A!tr.ransom

W32/RagnarLocker.C!tr

W32/RagnarLocker.B!tr.ransom

W32/RagnarLocker.4C9D!tr.ransom

W32/Filecoder_RagnarLocker.A!tr.ransom

W32/RagnarLocker.C!tr.ransom

W32/Filecoder_RagnarLocker.C!tr

W32/Filecoder.94BA!tr.ransom

W32/Filecoder.OAH!tr.ransom

All network IOCs are blocked by the WebFiltering client.

Appendix

FBI Flash report CU-000163-MW (FBI)

Definitions