Ragnar Locker Comeback: U.S 52 Infrastructure Entities Hit, Anti-Ransomware Never Stops

On March 8, 2022, the Federal Bureau of investigation (FBI) and the Bureau of network security and infrastructure security (CISA) jointly issued a warning that Ragnar Locker ransomware was invading key infrastructure in the United States on a large scale. As of January 2022, the FBI has identified at least 52 entities in 10 key infrastructure sectors affected by the ransomware, including those in key manufacturing, energy, financial services, government and information technology sectors.

1.  Actions of Ragnar Locker

Ragnar Locker malware is a blackmail virus operated by Ragnarok blackmail Gang, which was first discovered at the end of December 2019. In June 2020, the gang cooperated with the notorious Maze extortion gang to share their expertise and improve attack technology. As a blackmail software rising in recent two years, at least 44 organizations enterprises have been attacked by Ragnar Locker using the "double blackmail" mode. The following are some typical attack cases:

(1) In April 2020, EDP, a Portuguese multinational energy giant, was attacked and asked for 1580 bitcoin ransom (equivalent to about US $10.9 million). The group behind the scenes claimed that they had obtained 10TB of sensitive documents and would disclose the data publicly if EDP did not pay the ransom.

(2) In November 2020, Italy liquor giant Campari Group was hit, causing 2TB files that was not encrypted loss (including bank statements, documents, contracts, etc.). Extortion gang openly demanded a ransom of up to 15 million dollars in the Facebook advertisement.

(3) In December 2020, the group targeted Capcom, a Japanese video game giant, and stole up to 1TB of confidential information stored by Capcom on the networks of subsidiaries in Japan, Canada and the United States, covering the personal data of 390,000 customers, business partners and other external parties.

(4) In May 2021, Taiwan's ADATA (Weigang), the world's second largest computer memory manufacturer, was hacked and claimed that it had successfully stolen 1.5TB of sensitive data from Weigang's network system before deploying ransomware Payload. In addition, the gang released some screenshots of stolen documents and folders and threatened to disclose other sensitive data if ADATA refused to pay ransom.

Globally, it is estimated that cyberattack occurs every 11 seconds, and the ransom loss will reach $20 billion in 2021 alone. For extortion gangs, ransom has become a very attractive cyber weapon and one of the most destructive cyberattacks on industries and individuals. Therefore, how to prevent and respond to blackmail attacks has become an urgent problem for all countries.

2.   How to Shield from Ransomware?

1)  Enhance the resilience against blackmail software attacks. US government suggests companies holding confidential threat briefings for key infrastructure managers, modernizing cyber defense and backing up key data, which could benefit users from any country.

2)  Establish a complete and advanced data protection system. The ransomware gang has been feeding off consistently the fact that, nowadays, most companies and institutions deploy IT environment with virtualization technologies. Thus, a comprehensive and advanced protection system plays a significant role in defending against cyberattack.

Vinchin Backup & Recovery provides VM protection solutions for world mainstream virtual environments including VMware, XenServer/XCP-ng, Hyper-V, RHV/oVirt, OpenStack, Sangfor HCI, and Oracle Linux Virtualization Manager and has been deployed in over 60 countries for virtualization users in many industries including government, energy, IT services, game, and more.

3. Vinchin Anti-Ransomware Solutions

1)    Anti-Ransomware Storage Protection

Vinchin Backup & Recovery secures backup data preserved in Vinchin backup storages (exclusive block devices) by immediately denying backup data modification requests made by unauthorized applications, based on real-time IO monitoring. This can successfully protect your vital backup data from being lost due to unforeseen circumstances. If ransomware or other malware tries to modify the backup, the visit will be refused.

2)    Unauthorized Data Modification Detection

Vinchin Backup & Recovery will immediately check the file's validity and will not sync the modified data to the backup server if the file type is maliciously changed or encrypted. Simultaneously, the backup system will monitor and preserve data throughout the entire process.

3)      3-2-1 Backup Strategy Compliance

Vinchin Backup & Recovery protects data against cyber threats in a variety of ways. For local backups, you can choose different backup plan combinations, such as full backup, (forever) incremental backup, and differential backup on a daily, weekly, or monthly basis. You can also copy your backup data to a remote DR center or your branch office's backup data to HQ with Vinchin Backup Copy. If your primary production site is destroyed, you can use the offsite backup copy to restore the VM to an offsite production system. By moving the well-protected backup copy from remote site to local production environment, you can also restore the VM to the onsite production system.

The US government hasn’t mentioned any collateral damage of this attack further, but usually economic loss ensued. As the information technology develops, so does the techniques of ransomware criminals. What we can do is working on a data backup plan in time to minimize the data loss and property damage.