The Federal Bureau of Investigation (FBI) has issued a report of cybercriminals using RagnarLocker ransomware to target 52 entities across critical infrastructure sectors. The report includes the latest updates on indicators of compromise (IoC) on the ransomware threat.
The FBI summarized the threat in the new Flash alert:
“As of January 2022, the FBI has identified at least 52 entities across 10 critical infrastructure sectors affected by RagnarLocker ransomware, including entities in the critical manufacturing, energy, financial services, government, and information technology sectors.”
The FBI noted RagnarLocker uses Windows API named GetLocaleInfoW to identify the location of the infected system.
To add, RagnarLocker also finds all attached drives using multiple Windows APIs such as CreateFileW, DeviceIoControl, GetLogicalDrives, and SetVolumeMountPointA. The malware then assigns a drive letter to any volumes and later encrypts the volumes making it difficult for the victim to recover any encrypted files.
Finally, RagnarLocker attempts to silently delete any Volume Shadow Copies and then encrypts all available files of interest.
The FBI has provided details on RagnarLocker IoCs, recommended mitigations and additional resources in the report.
Just last month, the FBI also released details on another threat Lockbit 2.0, a ransomware-as-a-service (RaaS), that posed a “significant challenge for defense and mitigation.”
LockBit 2.0 added a feature to automatically encrypt Windows domain-joined devices by abusing Active Directory group policies. LockBit 2.0 also developed Linux-based malware used to target vulnerable VMWare ESXi virtual machines.
- FBI releases Lockbit 2.0 ransomware-as-a-service IoCs
- FBI: Cuba ransomware compromised 49 critical infrastructure entities