Ragnar Locker Gang Warns Victims Not to Call the FBI

Investigators/the FBI/ransomware negotiators just screw everything up, the ransomware gang said, threatening to publish files if victims look for help.

All that the FBI/ransomware negotiators/investigators do is muck things up, so we’re going to publish your stuff if you call for help, the Ragnar Locker ransomware gang announced on its darknet data-leak site.

In an announcement posted this week and seen by Bleeping Computer, the ransomware operators threatened to publish all the data of victimized organizations that seek help from law enforcement or investigators following ransomware attacks.

The same goes for victims that call in data-recovery experts who try to decrypt files and/or help out with negotiating the ransom and/or the decryption process.

Infosec Insiders Newsletter

“In our practice we has facing with the professional negotiators much more often in last days,” the announcement said in broken-English-ese. “Unfortunately it’s not making the process easier or safer, on the contrary it’s actually makes all even worse.”

Ragnar Locker ransomware group’s warning on the group’s darknet leak site. Source: BleepingComputer.

Such negotiators are either affiliated with law enforcement or investigators or working directly with them, the gang asserted. Either way, they’re in it for themselves and don’t care about their clients’ financial well-being or their data privacy, the group said.

To rub salt into the wounds of the companies that Ragnar Locker preys upon, the gang went on to refer to their victims as “clients,” as if any of their long list of targets had mulled it all over and decided that it was high time to have their files encrypted and their businesses paralyzed and had therefore contracted with the Ragnar Locker group to get the job done.

“So from this moment we warn all our clients, if you will hire any recovery company for negotiations or if you will send requests to the Police/FBI/Investigators, we will consider this as a hostile attempt and we will initiate the publication of whole compromised Data immediately,” the gang warned. “Don’t think please that any negotiators will be able to deceive us, we have enough experience and many ways to recognize such a lie.”

Modus Operandi

As the FBI explained in November 2020 in a flash alert (PDF) about increased Ragnar Locker activity, the operators first get access to a victim’s network and then carry out reconnaissance to locate network resources, backups, or other sensitive files they can encrypt and steal. In the final stage of the attack, they manually deploy the ransomware, encrypting the victim’s data.

The Ragnar Locker ransomware family frequently switches up obfuscation techniques to slip past detection and prevention. The ransomware is identified by the extension “.RGNR_<ID>,” where <ID> is a hash of the computer’s NETBIOS name. The threat actors identify themselves as “RAGNAR_LOCKER” and leave a .txt ransom note, with instructions on how to pay.

Ragnar Locker has used VMProtect, UPX, and custom packing algorithms. The ransomware has also been deployed within an attacker’s custom Windows XP virtual machine on a target’s site, according to the FBI.

The alert followed the FBI’s first observation of Ragnar Locker in April 2020, when the gang encrypted 10TB of data belonging to an unnamed, large corporation, demanding an $11 million ransom.

At the time, the FBI said that Ragnar Locker was increasingly being thrown at a range of victims, including cloud service providers, communication, construction, travel and enterprise software companies.

Hit List

The Ragnar Locker operators have gone after a hodgepodge of industries. Some of their attacks:

July 2020: Corporate-travel leader CWT may have faced payment of $4.5 million in a ransomware attack attributed to Ragnar Locker.

November 2020: Italian spirits brand Campari was attacked by a gang that used Ragnar Locker to encrypt most of Campari’s servers.

November 2020: Capcom, the Japanese video game developer behind Resident Evil, Street Fighter and Darkstalkers, suffered a Ragnar Locker attack in which 1TB of sensitive data was encrypted. As of January 2021, the repercussions had widened: The company said that the personal data of up to 400,000 of its customers was compromised in the attack.

December 2020: aviation giant Dassault Falcon Jet, the US subsidiary of French aerospace company Dassault Aviation, informed customers (PDF) of a breach following a Ragnar Locker attack.

June 2021: The Taiwanese memory and storage maker ADATA admitted that it was forced to take its systems offline after it was targeted by a Ragnar Locker attack in late May.

Should You Pay?

The gang’s latest technique of trying to scare victims away from seeking help will add yet more pressure to pay ransom demands. You can imagine the thought process: If calling for help guarantees that the crooks will publish sensitive data, why bother?

But there are plenty of good reasons not to pay, in spite of the group’s new threat. One of the top-cited reasons is pure common sense: Namely, they’re crooks. You can’t trust them.

To put some context around what ransomware victims choose to do, Threatpost recently ran an exclusive poll that concluded that a full 80 percent of victims do not, in fact, pay.

The top reason cited, accounting for 42 percent of responses, is that paying the ransom doesn’t guarantee a decryption key.

Paying the ransom doesn’t even guarantee that you won’t get hit again. In a separate survey done by Cybereason, 80 percent of organizations that paid the ransom said they were hit by a second attack: Almost half were hit by the same threat group and one-third by a different one.

It’s time to evolve threat hunting into a pursuit of adversaries. JOIN Threatpost and Cybersixgill for Threat Hunting to Catch Adversaries, Not Just Stop Attacks and get a guided tour of the dark web and learn how to track threat actors before their next attack. REGISTER NOW for the LIVE discussion on September 22 at 2 PM EST with Cybersixgill’s Sumukh Tendulkar and Edan Cohen, along with researcher and vCISO Chris Roberts and Threatpost host Becky Bracken.

Suggested articles