FBI warns: This ransomware group has gone after critical infrastructure firms again and again

FBI raises an alarm about RagnarLocker, a ransomware gang that hides its malware inside a Windows XP virtual machine.
Written by Liam Tung, Contributing Writer

The FBI has issued an alert over the RagnarLocker gang, a group known to use crafty techniques like running ransomware inside a virtual machine to evade antivirus detection. 

The law enforcement agency said it became aware of RagnarLocker in April 2020 and that, as of January 2022, it had "identified at least 52 entities across 10 critical infrastructure sectors affected by RagnarLocker."

These include entities in critical manufacturing, energy, financial services, government, and tech. The ransomware group frequently changes its obfuscation techniques to avoid detection and prevention, it notes. 

SEE: How Russia's invasion of Ukraine threatens the IT industry

Deploying RagnarLocker in a stripped down virtual instance of Windows XP was one of those obfuscation methods. This tactic allowed the group to hide from local antivirus software and provided more time to encrypt files. The group was known for selecting enterprise targets only and has in the past compromised managed service provider tools to then breach their customers. 

The FBI's warning is contained in a new Flash alert published in coordination with the Cybersecurity and Infrastructure Security Agency.

The FBI notes that RagnarLocker still deploys within the attacker's custom Windows XP virtual machine on a target's site and then starts to encrypt files. 

"Instead of choosing which files to encrypt, RagnarLocker chooses which folders it will not encrypt. Taking this approach allows the computer to operate "normally" while the malware encrypts files with known and unknown extensions containing data of value to the victim," the FBI states. 

The FBI notes that if the logical drive being processed is the C: drive, it doesn't encrypt files from the folders named Windows, Windows.old, Mozilla, Mozilla Firefox, Tor browser, Internet Explorer, $Recycle.Bin, Program Data, Google, Opera, or Opera Software. 

It also doesn't encrypt files with the extensions .db, .sys, .dll, .lnk, .msi, .drv, or .exe. 

The FBI has published the latest indicators of compromise as of January 2022, including IP addresses, Bitcoin addresses, and email addresses used by the attackers. 

The FBI is also appealing for victims to provide information that might include: a copy of the ransom note, any undiscovered malicious IPs and details about unusual RDP and VPN connections, virtual currency addresses, extortion amounts, malicious files, a timeline of events, and evidence of data exfiltration.      

The FBI and US Secret Service (USSS) issued an alert last month about BlackByte ransomware, noting that the malware had compromised multiple US and foreign businesses, including entities from three US critical infrastructure sectors in government facilities, financial, and food and agriculture.

Editorial standards