What is that this Ragnar Locker factor I’ve heard about?
Ragnar Locker is a household of ransomware, which first got here to prominence in early 2020 when it grew to become infamous for hitting massive organisations, trying to extort massive quantities of cryptocurrency from its victims.
So simply your bunch of cybercriminals then?
Sure, though on their underground web site, the place they leak recordsdata stolen from their company victims, they try to painting themselves quite in another way.
Within the Ragnar Locker gang’s “About us” part they make the quite unconvincing declare that they “don’t pursuit purpose to make large injury to anybody’s enterprise”, while admitting that “if it might be essential, little doubt we are going to do what we promise and the implications will probably be disastrous.”
The criminals even try to persuade their victims that they may help enhance safety:
“We’re attention-grabbing to find weaknesses and vulnerabilities in networks and we’re good at this, we may help to enhance the safety measures, that’s why we give an opportunity to make a deal and offering record of suggestions and penetrations reviews.” “Firms beneath assault of Ragnar_Locker can rely it as a bug searching reward, we’re simply illustrating what can occurs. However don’t overlook there are a whole lot of peoples in web who don’t need cash – somebody would possibly need solely to crash and destroy. So higher pay to us and we are going to assist you to to keep away from such points in future.”
Hmm. It appears like they’re making a suggestion you may’t refuse…
Sure, the phrases could seem kindly however there’s no disguising the implicit risk that when you don’t pay the ransom after they exploit your community, issues might get very nasty certainly.
As a result of your knowledge will probably be encrypted, and might be leaked on-line?
Exactly. The FBI is clearly involved, and has issued an alert warning that the Ragnar Locker gang has contaminated a minimum of 52 vital infrastructure organisations throughout America with its ransomware.
Techniques have been hit within the vital manufacturing, power, monetary providers,
authorities, and data expertise sectors, says the FBI.
It’s dangerous sufficient for any firm to get hit, however vital infrastructure…
Proper.
And that’s why the FBI’s alert is elevating consciousness of the Ragnar Locker ransomware risk and providing details about the way it works, indicators of compromise, and tips about how one can higher safe what you are promoting.
Is it only a downside going through North American companies?
No, Ragnar Locker can be utilized towards organisations world wide, though apparently the ransomware terminates if it identifies that a pc recognized as “Azerbaijani,” “Armenian,” “Belorussian,”, “Kazakh,” “Kyrgyz,” “Moldavian,” “Tajik,” “Russian,” “Turkmen,” “Uzbek,” “Ukrainian,” or “Georgian.”
May that point out what a part of the world the ransomware originates from?
You would possibly suppose that, I couldn’t presumably remark. However it’s usually believed that some cybercriminal gangs intentionally keep away from hitting firms in their very own nation, within the hope of avoiding undesirable curiosity from native legislation enforcement businesses.
Gotcha. So when the Ragnar Locker ransomware triggers – what does it encrypt?
What’s maybe faster to explain is what it doesn’t encrypt. With a view to enable the pc to function “usually” through the encryption course of, it avoids encrypting recordsdata within the following folders on the C: drive:
- Home windows
- Home windows.previous
- Mozilla
- Mozilla Firefox
- Tor browser
- Web Explorer
- $Recycle.Bin
- Program Knowledge
- Opera
- Opera Software program
As well as, when biking by recordsdata, Ragnar Locker ignores recordsdata with the next
extensions:
- .db
- .sys
- .dll
- .lnk
- .msi
- .drv
- .exe
After all, these are all filetypes that may usually be simply changed – in contrast to knowledge recordsdata which usually carry better worth.
However to encrypt recordsdata it must have discovered its manner into your organisation by some means. How does it try this?
The Ragnar Locker gang is like many different cybercriminal teams focusing on companies with ransomware – making the most of internet-exposed providers reminiscent of RDP, brute-forcing passwords or utilizing stolen credentials. As soon as in, an attacker will try to achieve better privileges and transfer laterally all through the community.
So how can my firm shield itself from Ragnar Locker?
The finest recommendation is to observe the suggestions on how one can shield your organisation from different ransomware. These embrace:
- making safe offsite backups.
- working up-to-date safety options and making certain that your computer systems are protected with the most recent safety patches towards vulnerabilities.
- utilizing hard-to-crack distinctive passwords to guard delicate knowledge and accounts, in addition to enabling multi-factor authentication.
- encrypting delicate knowledge wherever doable.
- decreasing the assault floor by disabling performance which your organization doesn’t want.
- educating and informing workers concerning the dangers and strategies utilized by cybercriminals to launch assaults and steal knowledge.
If my firm has fallen sufferer to Ragnar Locker, ought to we pay the ransom?
That’s a choice that solely your organization could make. What is obvious is that the extra firms that pay a ransom, the extra possible it’s that criminals will launch related assaults towards others sooner or later.
On the similar time, what you are promoting could really feel it has no alternative however to make the exhausting determination to pay. In spite of everything, the choice could put all the enterprise in danger.
No matter your determination, you need to inform legislation enforcement businesses of the incident and work with them to assist them examine who may be behind the assaults.
And keep in mind this: paying the ransom doesn’t essentially imply you’ve erased the safety issues that allowed you to be contaminated within the first place. For those who don’t discover out what went improper – and why – and repair it, then you could possibly simply fall sufferer to additional ransomware assaults sooner or later.
Editor’s Notice: The opinions expressed on this visitor creator article are solely these of the contributor, and don’t essentially mirror these of Tripwire, Inc.
