Global critical infrastructure operators warned about Ragnar Locker ransomware

Cybereason published a global Threat Analysis Report on the Ragnar Locker ransomware gang and its attacks on global critical infrastructure operators’ networks. Ragnar Locker first appeared in 2019, and hundreds of businesses have been victimized since then. The threat level of Ragnar Locker ransomware attacks against critical infrastructure operators is HIGH, according to Cybereason.

After Ragnar Locker carried out more than 50 successful attacks against critical infrastructure operators in the United States, the FBI issued a Flash Advisory earlier this year warning the operators to be more vigilant against potential attacks. Ragnar Locker recently claimed responsibility for an attack on DESFA, Greece’s largest natural gas supplier.

Ragnar Locker’s victims have been subjected to a double extortion scheme. Attackers use double extortion to breach a victim’s network, steal sensitive information by moving laterally through the organization, and threaten to publish the stolen data unless the ransom demand is met.

Other key findings of the investigation include: 

• Security Evasion Capabilities: Ragnar Locker checks if specific products are installed, especially security products (antivirus), virtual-based software, backup solutions and IT remote management solutions.
• Active for Three Years: Ragnar Locker is both a ransomware group and the name of the software in use. They have been running since 2019 and targeting critical industries. They use the double extortion scheme.
• Excluding the Commonwealth of Independent States: Ragnar Locker avoids being executed from countries since the group is located in the Commonwealth of Independent States (CIS).