by Kapua Iao
Article filed in
FBI alert on Ragnar Locker ransomware
by Kapua Iao
The Federal Bureau of Investigation (FBI) recently released a new flash alert addressing Ragnar Locker ransomware. Ragnar Locker is just one of numerous malwares utilized by threat groups to demand money from organizations.
The FBI flash alert, coordinated with the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency, comes after several other similar guides that address the recent alarming increase in ransomware attacks.
According to the alert, Ragnar Locker threat actors continuously evolve their techniques to avoid detection and up the risks. Researchers state that it is only a matter of time before other cyber groups copy their methods.
What is Ragnar Locker ransomware?
Ransomware is malware (or malicious software) that denies access to a system until a victim pays a ransom.
Such malware is normally delivered through phishing emails created to tempt victims into clicking on links or opening attachments. It can also find its way into systems through various threat vectors.
Specialists initially observed Ragnar Locker at the end of December 2019. The threat group first gains entry through a known vulnerability (e.g., Microsoft Windows operating systems) or phishing using social engineering. The latter category includes spear-phishing as well as business email compromise.
Then, the ransomware group searches for valuable data to exfiltrate (or steal). Finally, the hackers deploy Ragnar Locker ransomware manually to encrypt data.
The victim is sent a ransom note and a threat of data release if the ransom is not paid. Also included are a countdown and the hacker’s preferred payment method.
Moreover, the threat actors often utilize a double extortion approach, publishing proof of stolen data on the dark web.
Identified Ragnar Locker attacks include:
- Energias de Portugal (EDP; April 2020): 10TB stolen, $10.9M USD demanded
- CMA CGM S.A. (French shipping company, September 2020): information unknown
- Campari Group (November 2020): 2TB stolen, $15M USD demanded
- Capcom (November 2020): 1TB stolen, $11M USD demanded
The threat group upped the ante after the Campari attack, taking out a Facebook ad for further intimidation.
The FBI alert
Government officials began to follow Ragnar Locker closely in April 2020 after the EDP attack. The FBI’s alert provides research details to help organizations understand the ransomware before they are even hit.
The ransomware group frequently changes techniques to avoid detection and prevention. Nevertheless, the threat actors are recognizable by the extension .RGNR as well as the .txt ransom note where they identify themselves with “RAGNAR_LOCKER.”
While in a computer, the group searches for the location of the victim (in order to not attack victims in certain locations) as well as any current infections (i.e., other malware, to prevent multiple encryptions that result in data corruption).
From there the threat actors terminate several services and attempt to delete shadow copies to prevent recovery. Finally, the group encrypts the data before sending the ransom note.
At the moment, Ragnar is known to target cloud service providers, communication, construction, enterprise software, and travel industries. There are no reported attacks against healthcare yet.
Healthcare and ransomware attacks
Over the past few months, there has been an alarming uptick in ransomware attacks on healthcare covered entities (CEs).
The healthcare industry is particularly susceptible because of its valuable data (i.e., protected health information (PHI)) combined with overworked employees, a reliance on smart devices, and the continual use of outdated computer systems.
RELATED: Is a Name PHI?
The Paubox HIPAA Breach Report for December 2020 shows that email breaches affected 225,633 people in November. And the top three breach types—network server, email, and electronic medical records—affected over one million individuals.
For CEs, such attacks can be disastrous beyond the cost of data loss, ransoms, and possible HIPAA fines. Hospitals may have to shut down services, including emergency, and patient care may get waylaid. And during a pandemic, such outcomes can be devastating.
How can Paubox help?
Even though officials have not noted Ragnar Locker used in healthcare ransomware attacks, CEs must remain prepared. The first step is to follow and read government alerts on cybersecurity threats.
Best practices emphasized by the FBI alert include:
- Backup critical data offline and ensure multiple, unreachable copies
- Install and update antivirus and/or antimalware software
- Only use private networks (e.g., Virtual Private Networks); never public Wi-Fi
- Use multifactor authentication with strong password policies
- Keep all devices patched and up-to-date
Finally, CEs must ensure that they utilize a HIPAA compliant email such as Paubox Email Suite Plus that blocks malicious emails from ever reaching an employee’s inbox. A combination of strong email security along with all the above provides the safeguards needed in case the Ragnar Locker ransomware group sets its sight on healthcare.