Ragnarlocker ransomware encrypts the information of 52 critical infrastructure agencies in the US

RagnarLocker is a ransomware operation first detected in 2020 and has remained active despite constant changes and measures implemented by governments around the world against such groups.

Since the beginning of 2022, the Federal Bureau of Investigation (FBI) has identified at least 52 ransomware-infected organizations in 10 critical infrastructure sectors, including manufacturing, financial services, energy, information technology and government entities.

RagnarLocker is easily identifiable as it uses the “.RGNR_<ID>” extension, where <ID> is a hash of the computer’s NETBIOS name. Once the encryption process has been completed, threat actors leave a ransom note with instructions for making the payment and decrypting the affected information. RagnarLocker uses VMProtect, UPX, and custom packaging algorithms and is deployed within an attacker’s custom Windows XP virtual machine at a target’s site.

Ragnar Locker also uses the GetLocaleInfoW Windows API to identify the location of the infected machine. If the potential victim is identified as being of Azerbaijani, Armenian, Belarusian, Kazakh, Kyrgyz, Moldovan, Tajik, Russian, Turkmen, Uzbek, Ukrainian, or Georgian origin, the process will be cut short.

The malware then iterates through all executed services and terminates the services employed by managed service providers for remote network administration. The malware will also attempt to remove all shadow copies, preventing victims from recovering the compromised files.

Finally, RagnarLocker encrypts all available files of interest. Instead of choosing which files to encrypt, RagnarLocker chooses which folders will be left unencrypted, so the affected devices will continue to work normally while hundreds of victims’ files are infected in the background.

The FBI considers RagnarLocker to be an active threat and whose activity could be highly damaging to critical U.S. infrastructure, so system administrators should implement some of the following recommendations:

  • Enable offline backups of critical data  
  • Do not share critical information from a compromised network.
  • Use multi-factor authentication and strong passwords, including for remote access services
  • Keep computers, devices and applications always updated to the latest version available

The Agency also recommends not negotiating with cybercriminal groups, as this can sometimes result in a worst-case scenario for victims.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.