The Federal Bureau of Investigation (FBI) recently released a new flash alert addressing Ragnar Locker ransomware. Ragnar Locker is just one of numerous malwares utilized by threat groups to demand money from organizations. The FBI flash alert, coordinated with the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency, comes after several other similar guides that address the recent alarming increase in ransomware attacks. RELATED: Global Surges in Ransomware Attacks in Q3 2020 According to the alert, Ragnar Locker threat actors continuously evolve their techniques to avoid detection and up the risks. Researchers state that it is only a matter of time before other cyber groups copy their methods.
What is Ragnar Locker ransomware?
Ransomware is malware (or malicious software) that denies access to a system until a victim pays a ransom. Such malware is normally delivered through phishing emails created to tempt victims into clicking on links or opening attachments. It can also find its way into systems through various threat vectors. Specialists initially observed Ragnar Locker at the end of December 2019. The threat group first gains entry through a known vulnerability (e.g., Microsoft Windows operating systems) or phishing using social engineering. The latter category includes spear-phishing as well as business email compromise. Then, the ransomware group searches for valuable data to exfiltrate (or steal). Finally, the hackers deploy Ragnar Locker ransomware manually to encrypt data. The victim is sent a ransom note and a threat of data release if the ransom is not paid. Also included are a countdown and the hacker's preferred payment method. Moreover, the threat actors often utilize a double extortion approach, publishing proof of stolen data on the dark web. Identified Ragnar Locker attacks include:
Energias de Portugal (EDP; April 2020): 10TB stolen, $10.9M USD demanded
CMA CGM S.A. (French shipping company, September 2020): information unknown
Campari Group (November 2020): 2TB stolen, $15M USD demanded
The threat group upped the ante after the Campari attack, taking out a Facebook ad for further intimidation.
The FBI alert
Government officials began to follow Ragnar Locker closely in April 2020 after the EDP attack. The FBI’s alert provides research details to help organizations understand the ransomware before they are even hit. The ransomware group frequently changes techniques to avoid detection and prevention. Nevertheless, the threat actors are recognizable by the extension .RGNR as well as the .txt ransom note where they identify themselves with "RAGNAR_LOCKER." While in a computer, the group searches for the location of the victim (in order to not attack victims in certain locations) as well as any current infections (i.e., other malware, to prevent multiple encryptions that result in data corruption). From there the threat actors terminate several services and attempt to delete shadow copies to prevent recovery. Finally, the group encrypts the data before sending the ransom note. At the moment, Ragnar is known to target cloud service providers, communication, construction, enterprise software, and travel industries. There are no reported attacks against healthcare yet.
Even though officials have not noted Ragnar Locker used in healthcare ransomware attacks, CEs must remain prepared. The first step is to follow and read government alerts on cybersecurity threats. Best practices emphasized by the FBI alert include:
Backup critical data offline and ensure multiple, unreachable copies
Install and update antivirus and/or antimalware software
Only use private networks (e.g., Virtual Private Networks); never public Wi-Fi
And along with this, ensure the use of a layered cybersecurity program that includes regular recovery tests as well as up-to-date business continuity plans and employee awareness training. Finally, CEs must ensure that they utilize a HIPAA compliant email such as Paubox Email Suite Plus that blocks malicious emails from ever reaching an employee’s inbox. A combination of strong email security along with all the above provides the safeguards needed in case the Ragnar Locker ransomware group sets its sight on healthcare.