Cyber Security
WastedLocker Ransomware
On April 14th the news broke that, Portuguese multinational energy giant Energias de Portugal (EDP) was hit by ransomware attacking the network of the company’s 11,500 employees. The attack was by Ragnar Locker ransomware, which upon encrypting the systems demanded a 1,580 Bitcoin ransom fee, the equivalent to around $11 million. In their ransom note, the attackers claim to have stolen 10TB of sensitive company files which will be leaked if the ransom isn’t paid. According to security analysts, the methodology of the attack and the ransom demand both indicate the attack was well thought out with the attacker fully aware of its victim’s financial capabilities.
Ragnar Locker is often delivered through MSPs tools such as ConnectWise, from which the attackers drop a highly targeted ransomware executable. This is a technique that has been used by other highly malicious ransomware campaigns, most notably, Sodinokibi. In this type of attack, the operators of the ransomware initially infiltrate organizations through unsecured or badly secured RDP connections and then used both tools to push Powershell scripts to all accessible endpoints. The scripts then downloaded a payload from Pastebin, which executes the ransomware and encrypts the endpoints. In some cases, the payload is an executable file that is executed as part of a file-based attack, in other cases additional scripts were downloaded, as part of a completely file-less attack.
Ragnar Locker is specifically targeting software commonly used by managed service providers, Below, is the list of targeted strings:
vss
sql
memtas
mepocs
sophos
veeam
backup
pulseway
logme
logmein
connectwise
splashtop
kaseya
Attackers first steal a victim’s files and upload it to their servers. They then tell the victim that they will only release the files publicly if a ransom is not paid, in a tactic that has recently been dubbed – the ‘Name & Shame Game’.
Ragnar Locker ransomware undermines the MSP’s security tools (as mentioned above, before the tools can block it from executing) and once inside, commences the encryption process. It contains a specific extension to use for encrypted files, an embedded RSA-2048 key.
The ransomware appends a new file extension, such as ‘.ragnar_22015ABC’ to the file’s name. The ‘RAGNAR’ file marker will also be added to the end of every encrypted file.
Ragnar Locker will drop a ransom note named ‘.RGNR_[extension].txt.’ The ransom note contains information on the ransom amount, a bitcoin payment address, a TOX chat ID to communicate with the cybercriminals, and a backup email address if TOX does not work. In each case, the ransom amount is calculated individually. According to reports, the amount of the ransom varies between $200,000 to $600,000.
ransom note
Amongst our customer environments, Deep Instinct found seven samples of this ransomware, and all were prevented statically with Deep Instinct’s current model in production. The previous model which was trained in Q3 of 2019 was also able to successfully detect and prevent the ransomware. This is a considerable feat considering that RagnarLocker went undetected by most other engines when it was first spotted in the wild. In the days following detection rates by other engines gradually improved.
For more information on: WastedLocker Randsomeware