Know Thy Enemy: Why RagnarLocker Remains a Significant Threat to Critical Infrastructure

RagnarLocker ransomware gang has found its footing as one of the cybercriminal outfits that are ruthlessly going after critical infrastructure.

September 28, 2022

2022 has emerged as the year of significant geopolitical upheaval in Ukraine, driven by the stand-off between NATO and Russia. During this time, cyberattacks against critical infrastructure have emerged as the newest dimension in addition to conventional warfare. Going by a recent report, the RagnarLocker ransomware gang has found its footing as one of the cybercriminal outfits that are ruthlessly going after critical infrastructure.

Cybersecurity experts haven’t been able to link RagnarLocker to the Russian state, unlike multiple other groups. However, what’s peculiar is that the two-and-a-half-year-old ransomware gang tends to avoid targeting countries in the Commonwealth of Independent States, an 11-member organization comprising nation-states formerly part of the erstwhile Soviet Union.

The RagnarLocker ransomware syndicate was discovered in April 2020 though it has been active since December 2019, according to Cybereason. It maintained a low-key position until 2021 when it targeted dozens of organizations engaged in critical economic activities.

As of January 2022, the RagnarLocker gang targeted 52 entities across 10 critical sectors, including manufacturing, energy, financial services, government, and information technology, according to an FBI and CISA advisoryOpens a new window dated March 2022.

The RagnarLocker ransomware broke into the list of the top ten most active ransomware gangs first in June 2022Opens a new window . Its rise has been less dramatic than the Hive ransomware, but a recent report from Cybereason indicates that the worst is yet to come from RagnarLocker, the ninth most active ransomware familyOpens a new window as of August 2022.

RagnarLocker: the worst is yet to come

Following RagnarLocker’s attack on Greek gas operator DESFA in August 2022 that led to the theft of 361 gigabytes of data, Cybereason concluded that RagnarLocker would continue to orchestrate attacks against critical infrastructure organizations.

“RagnarLocker is likely directing affiliates towards low hanging fruit targets and high profile critical national infrastructure in the U.S. with weak security controls,” said Drew Perry, CEO of Tiberium, a London-based managed security services provider.

Chris Clements, vice president of solutions architecture at Cerberus Sentinel, drew a similar conclusion. He told Spiceworks, “It’s important to recognize that the majority of cyberattack victims are simply targets of opportunity – that is, they were picked because they were easy to compromise rather than any other reasons.”

The release of Cybereason’s assessment on RagnarLocker coincided with the group’s attack on another critical infrastructure giant – Portuguese state-owned carrier TAP Air Portugal. The air carrier said it could repel the ransomware attack though the ability of others to fend off intrusion attempts by RagnarLocker or any other cybercriminal group would be wishful thinking.

“It’s tough to predict if targeting the energy industry will continue to be an area of focus for the group. Motivations for targeting critical infrastructure can vary. Geopolitics plays into them being compelling targets for intelligence services to infiltrate but disrupting operations with ransomware while masquerading as a cybercriminal gang can also be useful and make attribution of the attack’s true origin more difficult,” added Clements.

Western and central Europe is on the brink of an energy security crisis as power costs mount. The situation is further exacerbated by the onset of winter, a time when European countries need to replenish gas storage to the brim to ensure heating in the coldest months.

As of September 24, 2022, the EU has stored just over 87%Opens a new window of its needs but still needs to either hit 95% to last through the entire winter and have spare for next spring and summer or cut down their gas use by 15%, according toOpens a new window Independent Commodity Intelligence Services (ICIS) data.

With the Russian faucet closed off, the EU is now trying to fulfill its energy needs by relying on alternative sources. For instance, Greece’s DESFA, which until this year relied on Russian gas for 40%Opens a new window of its demand, has cut down Russian gas imports by half. DESFA is increasingly buying gasOpens a new window from the U.S., Algeria, Nigeria, Egypt, Oman, and Indonesia.

Researchers have not yet been able to link the August RagnarLocker ransomware attack on DESFA to these geopolitical developments. “Access brokers will sell access to the highest bidder and if RagnarLocker are funded by Russian political forces who are running information campaigns against the West, any opportunity for a high-profile breach will be embraced,” Perry added.

“More attacks will follow against energy sector targets if weaknesses are found, it is as simple as that.”

See More: What Makes the Hive Ransomware Gang That Hacked Costa Rica So Dangerous?

Why RagnarLocker upped the ante in the past year?

“Since January 2022, there has been a noticeable increase in posts on their leak site. This is likely due to geopolitical alignment and the targeting direction from Russia. The timing also aligns to when Russia launched wiper attacks against Ukraine (Foxblade) in the lead up to the full invasion,” Perry said.

He added that RagnarLocker’s recent attacks aren’t financially motivated. “Affiliates would have been incentivized to increase attacks against high profile western targets. Critical national infrastructure and energy companies are less likely to pay a ransom, money is not the objective, information, and optics to demonstrate western weakness is the main goal.”

“There has not been a massive number of transactions, hence their motives are not money driven and are involved in information warfare instead,” Perry said after sharing and analyzing the known Bitcoin addresses of RagnarLocker.

According to Clements, “Several factors play into the ebb and flow of cybercrime gangs’ activities. Different groups can disband/rebrand and members can come and go.” This became apparent when the Conti ransomware gang had to shut shop for optics in the aftermath of Conti LeaksOpens a new window . Several Conti members have since joined other cybercriminal syndicates.

“It’s also true that some are supported or actively funded by heavily sanctioned nation-states looking to generate income through non-traditional means,” Clements said. For instance, North Korea is behind several malicious campaigns that seek to extract cryptocurrency and other financial gains.

Besides carrying out several cryptocurrency heists this year (including the biggest ever by the nation-state group Lazarus), North Korean cybercriminal entities carry out ransomware operations and were recently found to be busy exploiting the Log4j vulnerabilities to victimize U.S. energy companies.

The security veteran of over two decades added that the best time for groups such as RagnarLocker to strike is when its targets haven’t familiarized themselves with their TTPs tools, techniques, and procedures (TTPs).

“Regardless of the motivations, once a group finds methods that prove effective in reliably compromising victims, it makes sense to spread their attacks as widely and quickly as possible to maximize returns before industries and cybersecurity vendors adapt to combat their playbook.”

“Organizations in the same industry can have similar operations and technology environments that threat actors can become practiced at specifically targeting, making their attacks more effective. If the same network infrastructure, operating systems, and applications are in use in different organizations, it vastly shortcuts the reconnaissance time it takes for cybercriminals to get their bearings after gaining initial footholds into the victim’s environment.”

Clements also highlighted the high prevalence of supply chain attacks that could play a part in cyberattacks.

See More: A Ransomware Defense Is Not Enough: Organizations Also Need a Recovery Strategy

RagnarLocker’s tools, techniques, and procedures (TTPs)

RagnarLocker members and affiliates leverage multiple tools to infiltrate, compromise, deploy malware, and carry out encryption. It generally targets Windows systems, but it also can target Linux machines.

The group’s initial access point into the target network can vary, with the most common one being compromising remote desktop protocol (RDP) through brute force attacks, either by guessing or using stolen credentials the threat actors purchased from the dark web.

“Initial access vectors are still targeted via phishing campaigns, accessed via weak exposed management ports with stolen credentials, and straight up exploitation of external facing vulnerabilities,” Perry told Spiceworks. “The following MITRE techniques are used by Ragnarlocker:

  • T1027.002 (Software Packing)
  • T1614 (System Location Discovery)
  • T1082 (System Information Discovery)
  • T1021 (Remote Services)
  • T1486 (Data Encrypted for Impact)

Based on the FBI advisory, Clements noted RagnarLocker also relies on unpatched Confluence collaboration servers, password guessing, and credential reuse attacks against VPN devices.

A key aspect of the RagnarLocker playbook is to first check if the target system is located in any of the 11 countries within the Commonwealth of Independent States: Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Tajikistan, Russia, Turkmenistan, Uzbekistan, Ukraine, Georgia. If it is, the threat actors terminate the attack.

“To make it clear that gangs align to Russia, RagnarLocker terminates itself if the location of the target machine is located within their blocklisted countries by using the Windows API ‘GetLocaleInfoW’,” Perry added. North American, European, and Asian countries fall within the purview of their targets, although the countries from the former two are RagnarLocker favorites.

RagnarLocker Attack Chain

RagnarLocker Attack Chain | Source: CybereasonOpens a new window

Once in, the attackers collect details of target systems such as computer name, user name, machine GUID, and Windows version. “RagnarLocker first checks for current infections to prevent other threat actors from encrypting their target.”

The perpetrators also check if any security products, virtual software, IT remote management solutions, and backup solutions are set up on the target system.

RagnarLocker members/affiliates then grant themselves elevated privileges by exploiting CVE-2017-0213 in Windows COM Aggregate Marshaler using a custom-made application.

The group is also known to use VirtualBox virtual machine (VM) with a Windows XP image to carry out encryption with read and write privileges on all drives. “RagnarLocker uses VMProtect, UPX, and custom packing algorithms to thwart detection and terminates services commonly used by managed service providers to remotely administer networks,” Perry continued.

Clements explained that “RagnarLocker frequently changes obfuscation techniques to avoid detection and prevention. There have been examples of them downloading entire virtual machines to compromised computers to land and expand once initial access has been established.”

The RagnarLocker strain’s evasion techniques also include checking for and terminating the following processes if found running on the target systems: vss, sql, backup (backup services); memtas, mepocs, (messaging); sophos, veeam (security); pulseway, logme, logmein, connectwise, splashtop, kaseya (remote management); vmcompute, Hyper-v, vmms (for host server and VM integration).

Before encrypting the data using the Salsa20 encryption algorithm, RagnarLocker makes sure to delete shadow copies which are temporary backup snapshots designed to enable users to restore files in Windows.

The malware is also designed to exfiltrate data in case its operators need to create an additional pressure point on the victim through double extortion. After successful encryption and exfiltration, the strain drops the following ransomware note using the details it collected:

RagnarLocker Ransomware Note

RagnarLocker Ransomware Note | Source: Cybereason

RagnarLocker’s post-attack activities

The RagnarLocker ransomware gang operates a leak site on the anonymous network Tor, whose address is mentioned in its ransom note to the victim. The group also has an avenue for live chat, which becomes inoperative once negotiations break down or are complete.

Non-payment of the ransom demand or even apprising law enforcement/negotiation companies is threatened with the leak of the entire stolen database on the leak site. Ransom is usually asked to be paid in bitcoin. The bitcoin wallet is handed to the victim for payment only after the latter requests for it.

The group assures victims that it will delete compromised data, backdoors, etc., and promises not to victimize them again upon successful ransom fulfillment.

RagnarLocker Payment Assurances

RagnarLocker Payment Assurances | Source: FortinetOpens a new window

Paradoxically, RagnarLocker describes itself as a team of bug bounty researchers. “We are interesting in finding weaknesses and vulnerabilities in networks and we are good at this, we can help to improve the security measures, that’s why we give a chance to make a deal and providing list of recommendations and penetrations reports,” the group wrote in its ‘About Us’ page.

“Companies under attack by RagnarLocker can count it as a bug hunting reward, we are just illustrating what can happens. But don’t forget there are a lot of people on the internet who don’t want money – someone might want only to crash and destroy. So better pay to us and we will help you to avoid such issues in future.”

“Ragnar Team don’t pursuit aim to make huge damage to anyone’s business or someone personally, but if it would be necessary, no doubt we will do what we promise and the consequences will be disastrous, so no jokes here.”

See More: The Future of Ransomware Defense: A Primer for Business Leaders

What makes RagnarLocker different from other ransomware strains?

For one, RagnarLocker isn’t known for ransomware-as-a-service (RaaS) operations.

Two, Perry opined that RagnarLocker takes extra care not to cross paths with peers. “Selective targeting to ensure they do not step on the toes of other gangs and hurt Russian allies,” Perry concluded.

Three, its use of virtual machines. “Downloading a virtual machine with an entire custom version of Windows XP to run malware a few kilobytes in size is kind of like squashing a bug with a sledgehammer, but I’m sure it’s been successful for them more than once,” Clements said.

Four, RagnarLocker checks the location of countries. This isn’t exactly something particular to RagnarLocker though the countries excluded from its target certainly are.

Nonetheless, according to Clements, “It’s not extremely different.”

Which ransomware gangs do you think are the most dangerous? Let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!

MORE ON RANSOMWARE

Sumeet Wadhwani
Sumeet Wadhwani

Asst. Editor, Spiceworks Ziff Davis

An earnest copywriter at heart, Sumeet is what you'd call a jack of all trades, rather techs. A self-proclaimed 'half-engineer', he dropped out of Computer Engineering to answer his creative calling pertaining to all things digital. He now writes what techies engineer. As a technology editor and writer for News and Feature articles on Spiceworks (formerly Toolbox), Sumeet covers a broad range of topics from cybersecurity, cloud, AI, emerging tech innovation, hardware, semiconductors, et al. Sumeet compounds his geopolitical interests with cartophilia and antiquarianism, not to mention the economics of current world affairs. He bleeds Blue for Chelsea and Team India! To share quotes or your inputs for stories, please get in touch on sumeet_wadhwani@swzd.com
Take me to Community
Do you still have questions? Head over to the Spiceworks Community to find answers.