The U.S. Federal Bureau of Investigations (FBI) Cyber Division warns of increased Ragnar Locker ransomware activities. Following a confirmed attack on April 2020, both the FBI and Cybersecurity and Infrastructure Security Agency (CISA) have issued a flash alert MU-000140-MW to private industry partners providing a summary of malicious actions from actors using this ransomware.

Since the confirmed attack, Ragnar Locker has affected a growing number of victims including cloud service providers and various companies in the communication, construction, travel, and enterprise software industries. In all cases, Ragnar Locker hackers infiltrated their target’s network, performed stealthy reconnaissance, and stole data before encrypting files in the final stage of the attack.

Recognizing Ragnar Locker Tactics

Actors using Ragnar Locker first gain remote access to devices on the target network. The actors then perform a sweep of network resources, company backups, and other sensitive files as part of their reconnaissance. To avoid detection, they frequently switch their payload techniques using custom packing algorithms and leverage Windows XP virtual machines deployed on victims’ systems to encrypt files. Files encrypted during the attack are renamed with the extension “.RGNR_<ID>” where the ID is a hash of the computer’s NETBIOS name. 

After completing their reconnaissance and pre-deployment activities, Ragnar Locker actors drop their ransomware executable as well as custom ransom .txt notes on all encrypted systems. These notes typically contain the victim’s company name and links to the Tor and data leak websites where their data will be published if they do not comply with the ransom demands.

What Does This Mean to Our Partners?

The Ragnar Locker malware targets and kills services MSPs use to remotely manage their clients’ networks. Ragnar Locker attackers also exfiltrate large amounts of your clients’ confidential information such as billing, contracts, intellectual property, user credentials, customer records, and more.

Recommendations from the FBI

To guard against this attack, the FBI encourages organizations to safely store their critical data in offline backups, in a cloud backup, or on external hard drives or storage devices that cannot be accessed from the compromised network. Backup data must not be accessible for modification or deletion from the primary network.

Anti-virus and anti-malware solutions must be installed and consistently updated on all hosts. The FBI recommends that organizations implement Virtual Private Networks (VPNs) to avoid use of public Wi-Fi networks, patch all computers, devices, and applications on a regular basis, mandate multi-factor authentication, and practice strict password hygiene.

How to Protect Yourself and Your Clients

A single compromised device is all it takes to devastate your operations. During an attack, your detection and response times are crucial and often determine whether the actors succeed in their efforts. With attackers acting faster than ever, investing in an around-the-clock true Managed Detection and Response (MDR) service, not just one that provides remediation recommendations, means that you can fight back within minutes and hours, not days and weeks.

Unfortunately, many organizations rely solely on automated prevention technology such as anti-virus, anti-malware, and enhanced detection and response (EDR). Increasingly, we see this technology alone fail to keep networks safe. Attackers are very familiar with these technologies and know how to disable or evade them. Be cautious as well of security monitoring services whose strategy is based on these technologies alone. While they may monitor 24/7, these remote providers are still limited by the single-point solution they employ and have no comprehensive visibility into your network and IT environment.

The best end-to-end security is a combination of both prevention and advanced tradecraft detection technologies that monitor account activity and behavior in real-time as well as a 24/7 active threat hunting and response service provided by experienced security analysts. Active threat hunting by analysts detects reconnaissance activities at their earliest stages. Upon detection, analysts can respond quickly to stop hackers from moving their malware around your networks, isolate compromised devices, and incapacitate any attempts at encrypting or stealing sensitive information.

Download our eBook, MSP Best Practices to Secure against Ransomware, to learn more about how to effectively protect your infrastructure and your customers’ infrastructures from a ransomware attack.

Want something new to listen to?

Check out our podcast, The Unfair Fight, where you can hear industry insights from Blackpoint Cyber leadership and our special guests firsthand.