Ransomware Gang Has Invaded 52 US Critical Infrastructure Organizations

Ragnar Locker

The US Federal Bureau of Investigation (FBI) says the Ragnar Locker ransomware gang has hacked into the networks of at least 52 organizations across multiple US critical infrastructure sectors.

That’s according to a joint TLP:WHITE flash warning published Monday in consultation with the Cybersecurity and Infrastructure Security Agency.

As of January 2022, the FBI has identified at least 52 entities in 10 critical infrastructure sectors affected by RagnarLocker ransomware, including entities in the critical manufacturing, energy, financial services, government and information technology sectors. [PDF]†

“RagnarLocker ransomware actors operate as part of a ransomware family and often change obfuscation techniques to avoid detection and prevention.”

The flash alert aims to provide indicators of compromise (IOCs) that organizations can use to detect and block Ragnar Locker ransomware attacks.

IOCs linked to Ragnar Locker activity include information about attack infrastructure, Bitcoin addresses used to collect ransom money, and email addresses used by the gang’s operators.

Although the FBI first learned of Ragnar Locker in April 2020, Ragnar Locker ransomware payloads were first observed in attacks months earlier, in late December 2019.

Ragnar Locker operators are terminating remote management software (e.g. ConnectWise, Kaseya) used by managed service providers (MSPs) to remotely manage customers’ systems on compromised business endpoints.

This allows the threat actors to evade detection and ensure that remotely logged in administrators do not hinder or block the ransomware deployment process.

Request for information linked to Ragnar Locker attacks

The FBI asked administrators and security professionals who detect Ragnar Locker activity to share any related information with their local FBI Cyber ​​Squad.

Useful information that could help identify the threat actors behind this ransomware gang includes copies of the ransom notes, ransom demands, timelines of malicious activity, payload samples, and more.

The FBI added that it does not encourage paying ransoms for Ragnar Locker because victims have no guarantee that paying will prevent leaks of stolen data or future attacks.

Instead, ransom payments will further motivate the ransomware gang to attack even more victims and encourage other cybercrime activities to join in and launch their own ransomware attacks.

However, the federal agency acknowledged the damage businesses have done through ransomware attacks, which can force executives to pay ransoms and protect shareholders, customers or employees.

The FBI also shared mitigation measures to block such attacks and strongly urged victims to report such incidents to their local FBI field office.

Since December, the FBI has also revealed that Cuban ransomware has compromised the networks of at least 49 US critical infrastructure entities, while the BlackByte ransomware gang has affected at least three others.

This post Ransomware Gang Has Invaded 52 US Critical Infrastructure Organizations

was original published at “https://www.bleepingcomputer.com/news/security/fbi-ransomware-gang-breached-52-us-critical-infrastructure-orgs/”