Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Ragnar Locker Ransomware Group. Show all posts

Ragnar Locker Taken Down by FBI and Other Police Organizations


The Ragnar Locker ransomware gang's data leak sites have been taken down as a result of an international law enforcement operation by the U.S. Federal Bureau of Investigation, the European Union Agency for Law Enforcement Cooperation, and numerous national police forces.

Prior to the disruption, Ragnar Locker had 100 firms from 27 different industries listed on its data breach site.

Ragnar Locker's leak site was destroyed when TrickBot members were sanctioned, the Hive ransomware operation was stopped, the Russian CyclopsBlink botnet was taken down, and Chinese attacks on Microsoft Exchange servers were stopped.

According to Bleeping Computer, visits to Ragnar Locker's primary dark web leak site now display a message stating, "this service has been seized as part of a coordinated international law enforcement action against the Ragnar Locker group."

A spokesperson for Europol confirms that additional information will be released shortly and that the seizure is legal and a part of an ongoing operation targeting the gang. However, the FBI has denied to comment on the issue. 

Ragnar Locker

Ragnar Locker is a popular double-tap ransomware gang, with its name deriving from its attribute of encrypting files and stealing data, demanding a ransom payment in exchange for both a decryption key and a promise not to release the stolen material. The gang has targeted victims using a variety of tactics over the years, including purchasing Facebook Inc. advertisements in the past to put pressure on its victims to make payments.

Some of the victims of Ragnar Locker include Italian drinks maker Davide Campari-Milano S.p.A, French shipping giant CMA CGM S.A. and Japanese video game developer Capcom Co. Ltd.

Head of the Counter Adversary Operations at CrowdStrike Holdings Inc., Adam Meyers notes that it is anticipated that the law enforcement agencies from the European Union, the US, and Japan will formally announce the seizure of Ragnar Locker's dedicated leak site on Friday.

“VIKING SPIDER is one of the first Big Game Hunting ransomware adversaries to leverage the threat of publication of stolen data to a dedicated leak site to pressure victims[…]In its period of activity, VIKING SPIDER posted over a hundred victims from 27 sectors to their DLS,” Meyers explained. “CrowdStrike Intelligence assesses that this operation will likely severely impact VIKING SPIDER operations in the medium term. This assessment is made with moderate confidence given the effectiveness of other similar operations.”

Even though "on the surface this feels like a win, ultimately it may be no more than an inconvenience for the Ragnar group if they are able to quickly set up other servers to replace these," Erich Kron, security awareness advocate at security awareness training company KnowBe4 Inc. Kron cautioned that the sites being shut down can present problems for businesses that have already been hit by a Ragnar Locker ransomware attack but are now without a way to bargain with the criminals. 

“Unless the websites that were seized contain information or decryption keys for these people, it could significantly delay their ability to recover[…]In the cases where encryption didn’t occur but the data was stolen, there’s a good chance that that data still resides with people that make up the group,” he further added. 

Group Behind Ragnar Locker Ransomware Debunked

International law enforcement organizations have effectively dismantled the renowned Ragnar Locker ransomware gang, marking a huge win against cybercrime. This operation shows the value of international cooperation in the fight against digital criminal businesses and represents a turning point in the ongoing war against cyber threats.

The Ragnar Locker gang had been a formidable force in the realm of cyber extortion, targeting businesses worldwide with their sophisticated ransomware attacks. Their modus operandi involved encrypting sensitive data and demanding hefty ransoms for its release, often crippling the operations of affected organizations. 

The takedown operation was a joint effort between various agencies, including the European Union Agency for Law Enforcement Cooperation (Europol), the Federal Bureau of Investigation (FBI), and the UK's National Crime Agency (NCA). It was a testament to the power of international cooperation in combating cybercrime.

Europol, in a statement, emphasized the significance of this operation, stating, "The arrest of the alleged leader and the seizure of the infrastructure used by the group to conduct its malicious activities is a clear signal that Europol and its partners are actively targeting ransomware groups, their infrastructure, and the financial proceeds they extract from their victims."

One of the key achievements of this operation was the seizure of the Ragnar Locker gang's dark web portal, where they conducted their extortion activities. This move has disrupted their ability to continue their illegal operations and sends a powerful message to other cybercriminals.

The impact of this takedown is expected to be far-reaching. With the dismantling of Ragnar Locker's infrastructure, countless potential victims have been spared from falling prey to their malicious activities. This operation serves as a stark reminder to cybercriminals that the global community is united in its determination to combat cyber threats.

However, it is crucial to remain vigilant in the face of evolving cyber threats. As the digital landscape continues to evolve, criminals may adapt their tactics. Organizations and individuals alike must prioritize cybersecurity measures, including robust antivirus software, regular backups, and employee training to recognize and respond to potential threats.

An important step forward in the battle against cybercrime was made with the successful operation against the Ragnar Locker ransomware organization. It demonstrates the value of global cooperation and makes it quite obvious that cybercriminals will be hunted down and made to answer for their deeds. While this win deserves praise, it also highlights the necessity of ongoing watchfulness and investment in cybersecurity measures to guard against potential attacks.


In-Depth Look at Ragnar Locker Ransomware Targeting Vital Industries

 

The Ragnar group, responsible for the Ragnar Locker ransomware, has been active since 2019, targeting critical industries and using double extortion. The FBI warned in March 2022 that at least 52 entities from ten critical industry sectors had been affected. 

In August 2022, the group launched an attack on Greek gas supplier Desfa, claiming to have stolen sensitive data. Cybereason researchers examined Ragnar Locker's encryption process. Ragnar Locker performs a location check during execution. Execution is stopped if the location is any country in the Commonwealth of Independent States (CIS).

It then gathers host information, such as the computer and user names, as well as the machine GUID and Windows version. A custom hashing function concatenates and conceals this data. The combined hashes are used to name a new event. Ragnar Locker then attempts to locate existing file volumes by utilising the Windows APICreateFileW.

The encrypted list of services contained within the Ragnar Locker code is decrypted. VSS, sql, memtas, mepocs, sophos, veeam, backup, pulseway, logme, logmein, connectwise, splashtop, kaseya, vmcompute, Hyper-v, vmms, Dfs are all included. If any of these are discovered to be running services, the malware terminates them.

The malware then decrypts and prepares an embedded RSA public key for use. It decrypts the ransom note and then proceeds to delete any shadow copies of the host via vssadmin.exe and Wmic.exe.

The ransom note also states in the analysed sample, "Also, all of your sensitive and private information was gathered, and if you decide NOT to pay, we will upload it for public view!" Tor's Ragnar Locker data leak site (http [://] rgleaktxuey67yrgspmhvtnrqtgogur35lwdrup4d3igtbm3pupc4lyd [.] onion/) currently lists approximately 70 claimed victims.

The note demands a ransom of 25 bitcoins, but suggests that if contact is made within two days, this can be negotiated. However, it warns that if no contact is made within 14 days, the ransom will double, and the decryption key will be destroyed if no payment agreement is reached within 21 days. It also states that the attackers customised the ransom amount based on the victim's "network size, number of employees, annual revenue."

Ragnar Locker begins the encryption process once the ransom note is complete. The files like autoruns.inf, boot.ini, bootfront.bin, bootsect.bak, bootmgr, bootmgr.efi, bootmgfw.efi, desktop.ini, iconcache.db, ntldr, ntuser.dat, ntuser.dat.log, ntuser.ini, thumbs.db; specific processes and objects such as Windows.old, Tor Browser, Internet Explorer, Google, Opera, Opera Software, Mozilla, Mozilla Firefox, $Recycle.bin, ProgramData, All Users; and files with the extensions .db, .sys, .dll, lnk, .msi, .drv, .exe.are among those excluded.

Other files' filenames are sent to the encryption function, which encrypts them and appends the suffix '.ragnar [hashed computer name]'. Ragnar Locker creates a notepad.exe process after encryption and displays the ransom note on the user's screen.

The stolen data used in the double extortion process is continuously exfiltrated until it reaches the point of encryption. According to Loic Castel, a principal security analyst at Cybereason's Global SOC, “In general, ransomware operatives doing double extortion always require full privileges on the network they are looking to encrypt.. Between the initial access phase (when they take control of an asset, for instance through spearphishing) and the encryption phase, they have access to many machines, which they can extract data from and send through exfiltration services / external domains.”

As per the FBI alert, data exfiltration occurred nearly six weeks after the initial access and continued for about ten days before the encryption process began. Ragnar Locker primarily targets critical industry companies. 

“Ragnar Locker ransomware actors work as part of a ransomware family, frequently changing obfuscation techniques to avoid detection and prevention,” warned the FBI in its March 2022 alert.

Ragnar Locker to Publish Victims Data if They Approach FBI

 

The ransomware gang Ragnar Locker implements a new strategy, which forces victims to pay the ransom and threatens to expose their stolen data if victims approach the FBI. Earlier, Ragnar Locker has struck notable ransomware attacks on various companies to extract millions of dollars in ransom payments. 

Ragnar Locker perpetrators are believed to deploy payloads of the ransomware to the victim's computers manually. They spend time recognizing system resources, business backups, and other critical files before the data encryption phase. 

This week, the organization threatened to release complete information on victims seeking the aid and assistance of the police and investigating authorities amid a ransomware attack in an annunciation on the darknet leak portal of Ragnar Locker. 

The threat is equally applicable to individuals who approach file recovery experts to try to decode files and later on negotiate. In any case, the gang will expose the entire data of the victims on their .onion site. 

The Ransomware administrator says that the process of recovery is only worsened by affected companies who hire "professional negotiators" It is because these negotiators typically collaborate with FBI-associated data retrieval businesses and equivalent organizations. 

“In our practice we has facing with the professional negotiators much more often in last days,” the announcement said in broken-English-ese. “Unfortunately it’s not making the process easier or safer, on the contrary it’s actually makes all even worse.” 

“So from this moment we warn all our clients, if you will hire any recovery company for negotiations or if you will send requests to the Police/FBI/Investigators, we will consider this as a hostile intent and we will initiate the publication of whole compromised Data immediately. Don’t think please that any negotiators will be able to deceive us, we have enough experience and many ways to recognize such a lie. Dear clients if you want to resolve all issues smoothly, don’t ask the Police to do this for you. We will find out and punish with all our efforts,” further reads the announcement. 

Such dealers are either connected to or interact personally with law enforcement officials, the gang claims. In any case, they are in it and do not care about the economic well-being of their customers or their data privacy, stated the organization. 

The previous victims of Ragnar Locker included the Japanese game maker Capcom, ADATA manufacturer of computer chips, and the Dassault Falcon airline company. In Capcom's case, 2,000 devices were supposedly encoded and the attacker demanded $11.000,000 for a decryption key in return. 

Ragnar Locker's latest revelation induces further stress for victims, given that governments across the world have strongly advocated against paying ransoms in the present climate of escalating cyber threats. 

"Government has a strong position against paying ransoms to criminals, including when targeted by ransomware. Paying a ransom in response to ransomware does not guarantee a successful outcome," said the British Home Secretary, Priti Patel in May this year.

Chip Maker ADATA Attacked by Ragnar Locker Ransomware Group

 

ADATA, a Taiwan-based leading memory and storage manufacturer, was forced to take its systems offline after a ransomware attack crippled its network in late May. 

ADATA is known for manufacturing superior DRAM memory modules, NAND nonvolatile storage cards, mobile accessories, gaming products, diversion products, wattage trains, and industrial solutions.

ADATA admitted in an email to Bleeping Computer that it was hit by a ransomware attack on May 23, 2021, and responded by shutting down the impacted systems and notifying all relevant international authorities of the ransomware attack. However, the firm claims that its business operations are no longer disrupted and that it is busy restoring the affected devices. 

ADATA didn’t offer info on the ransomware operation behind the incident or any ransom demands. However, Bleeping Computer says that the Ragnar Locker ransomware gang has already taken the responsibility for the ADATA attack. In fact, Ragnar Locker says that they have allegedly taken one 1.5TB of sensitive information from ADATA’s computers before deploying the ransomware. 

So far, the ransomware gang has posted screenshots of the stolen files in order to prove their claims. However, they’re threatening to leak the rest of the data if the memory manufacturer does not pay the ransom. Chip manufacturers have become a lucrative target for ransomware operators, who can use the threat of downtime, which can prove to be a lot more costly in these turbulent times than the ransom, as another bargaining chip.

Security researchers discovered the Ragnar Locker ransomware in late December 2019. The gang operates by targeting enterprise endpoints and terminating remote management computer code (such as ConnectWise and Kaseya) installed by managed service suppliers (MSPs) to manage clients’ systems remotely.

In November 2020, the FBI said that Ragnar Locker Ransomware targeted "cloud service providers, communication, construction, travel, and enterprise software companies." The attack on ADATA is significant also because of its timing, as it comes in the midst of the ongoing chip shortage. With manufacturers struggling to keep pace with the demands, any downtime could further delay the industry's recovery. 

ADATA stated to BleepingComputer that it is "determined to devote ourselves making the system protected than ever, and yes, this will be our endless practice while the company is moving forward to its future growth and achievements."