• Why IRONSCALES
  • Platform
    Spring '24 Software Release! Check out our new deep image-based detection, GWS capabilities, and more. Explore the new additions
  • Solutions
  • Learn
    New Report! Osterman Research releases their 2024 findings on Image-based/QR Code Attacks. Read the report
  • Partner
  • Pricing

Ragnarok is a ransomware gang known for the Ragnar Locker ransomware, which has impacted a range of high-profile organizations from video game developers to energy companies. This article looks at Ragnarok's operations, ransomware strain, and some high-profile attacks carried out by the gang.

 

Ragnarok: Operations and Ransomware Analysis

Ragnarok uses classic double extortion tactics to first exfiltrate data from enterprise IT systems before locking down files, servers, and workstations. Attacks often begin by exploiting weak or stolen passwords used to log in to RDP services. Lateral movement comes from exploiting vulnerabilities, such as CVE-2017-0213, to elevate privileges. 

After escalating privileges within compromised networks, threat actors install the ransomware strain and delete volume shadow copies; the latter step prevents administrators from recovering files using older, encrypted versions. Alongside these pretty standard ransomware operations and tactics, Ragnarok has some peculiarities worth mentioning. 

An intriguing tactic uncovered by security researchers is that the Ragnarok gang uses virtual machines installed on compromised systems and runs its ransomware inside those VMs. This is a stealth tactic designed to bypass endpoint security solutions that may detect the ransomware. Any changes made to system files appear to come from legitimate VM software so that anti-malware solutions don’t flag the activity as suspicious.

Many ransomware strains try to evade detection by listing and killing currently running local processes, such as antivirus solutions. The use of VMs serves as another example of the creativity threat actors increasingly demonstrate in ensuring their ransomware attacks have the best chances of succeeding. Given the short shelf-life of many ransomware strains and gangs today, this evolution in tactics is arguably what should capture the most attention about Ragnarok from a security perspective. 

From an operational perspective, Ragnarok further garnered media attention by warning victims not to contact law enforcement. In an announcement post published on Ragnarok’s dark web leak site, the gang threatens that “if you hire any recovery company for negotiations or if you will send requests to the police/FBI/investigators, we will consider this as a hostile intent and we will initiate the publication of whole compromised data immediately.”

This operational tweak perhaps reflects a degree of panic among the gang’s members. After noting how law enforcement quickly closed in and managed to shut down several high-profile ransomware operations in mid-2021, Ragnarok probably feared the same fate. 

 

Ragnar Locker Victims

Within a relatively short timeframe, Ragnarok threat actors managed to infiltrate the networks of several high-profile victims, steal their data, and encrypt important files. 


Energias de Portugal (EDP), April 2020

An attack on Portuguese electric utility company EDP marked the first publicly disclosed, high-profile incident involving the Ragnar Locker ransomware. A letter sent to customers of the North American branch of EDP outlined how the company’s parent corporation, “experienced a ransomware attack on its information systems...the attackers had gained unauthorized access to at least some information stored on the company’s own information systems.”

The ransom note left by Ragnarok demanded a payment in Bitcoin equating to $10 million at the time. The gang’s member told EDP that they managed to exfiltrate up to 10 terabytes of data from its IT infrastructure. Remediation efforts attempted to limit the reputational impact by offering affected EDP customers one free year of identity protection services. 

 

Campari Group, November 2020

Marking the start of a month in which Ragnarok managed to attack at least two high-profile victims, Campari Group revealed a severe ransomware attack that infiltrated the Italian liqueur makers’ IT systems in early November 2020. The company, which makes a signature liqueur known to customers globally, generated revenues just short of €1.8 billion in 2020.

Reports suggested the Ragnar Locker ransomware encrypted Campari Group IT servers in up to 24 different locations. Demands for a substantial $15 million ransom indicated high levels of sensitive data exposure and/or a severe compromise in IT infrastructure. Subsequent technical investigations revealed compromises of some sensitive personal and business data, including names, surnames, e-mail addresses, and mobile phone numbers for over 4,000 employees. 

 

Capcom, November 2020

A second high-profile ransomware attack in November 2020 by Ragnarok’s threat actors resulted in what video game developer Capcom described as a customized ransomware attack on its systems.  The Japanese company is particularly well-known for the Resident Evil series of zombie-based video games with combined sales of over 120 million copies. 

A company statement outlined an extensive list of potentially compromised data that included personally identifiable information in up to 350,000 items. Investigations revealed the initial entry point came from compromised credentials for an old backup VPN account. 

 

ADATA, May 2021

ADATA is a Taiwanese computer storage and memory manufacturer that counts Solid State Drives, external storage (HDD, SSD, Enclosures, and USB flash drives among its main consumer-focused products. ADATA’s accounts showed revenues close to $1 billion in 2019, and the company has over 1,400 employees. 

Near the end of May 2021, Ragnarok threat actors infiltrated ADATA’s network and installed the Ragnar Locker ransomware strain on multiple systems. According to gang members, they managed to steal up to 1.5 terabytes of sensitive information before installing ransomware. ADATA managed to act quickly to bring affected systems offline before the ransomware propagated further through the company’s network. 

 

Ragnarok: Disbandment and Future

In August 2021, Ragnarok announced an abrupt shutdown of its operations. Threat actors even released the decryption key for all victims to fully restore any remaining encrypted files or systems.  

It is interesting to speculate whether this sudden disbandment reflected pressure from law enforcement. This would be somewhat ironic considering the gang’s assertion that any victim contacting the law would have their data published openly to the world. 

Another angle on the gang’s departure is that perhaps one or more victim organizations caved into ransom demands, which led to a large payday and early retirement for gang members. Whether or not these threat actors re-emerge with a new version of Ragnar Locker remains to be seen. It’s not unheard of for a ransomware gang to announce an operational shutdown before coming back on the radar a few months later. 

 

Credential Phishing 

A clear pattern emerging through Ragnarok’s attacks is the exploitation of relatively obvious vulnerabilities to gain initial network access. Stolen or compromised credentials for VPNs, RDP, and other systems are a common network entry point. Threat actors get their hands on passwords from brute force guessing easy passwords, reusing passwords from other leaks published to the dark web, or from credential phishing. 

Credential phishing attacks use psychological tactics, including eliciting urgency or exploiting familiarity, to get targets to click malicious links and enter their login credentials on fake login pages that appear genuine. Often, these emails come from spoofed email addresses that look like they come from brand name companies. 

Some credential phishing attacks point to malicious web pages that contain images rather than login forms. Targets enter their passwords into the image without knowing its malicious intent. Adversaries perform this tactic in an attempt to avoid flagging filters that may block suspicious URLs based on the fact they contain login forms.              

To adequately combat credential phishing, organizations need an email security solution that leverages machine learning advancements to detect and block credential phishing attacks. A self-learning solution ensures the blocking component of the solution improves over time by looking for emails that were incorrectly allowed to enter inboxes without any flagging or blocking. The reinforced learning paradigm helps solutions leverage real-world data to quickly become extremely accurate at blocking any potential phishing email. 

To learn more about IRONSCALES’ award-winning anti-phishing solution, please sign up for a demo today at https://ironscales.com/get-a-demo/.

IRONSCALES
Post by IRONSCALES
December 10, 2021