"Ragnar Locker Ransomware Targets Energy Sector, Cybereason Suggests"

On Saturday, August 20, Greece’s largest natural gas supplier DESFA said it was hit by a cyberattack that impacted the availability of some of its systems.   Ragnar Locker hacking group claimed responsibility for the ransomware attack, saying it had published more than 360 GB of data allegedly stolen from DESFA.  Almost two weeks after the attack, security researchers from Cybereason have now released a Threat Analysis Report describing the details of the attack.  The researchers stated Ragnar Locker is a ransomware that has been in use since at least December 2019 and is generally aimed at English-speaking users.  The Ragnar Locker ransomware has been on the FBI’s radar since the gang breached more than fifty organizations across ten critical infrastructure sectors.  The researchers stated that the first thing Ragnar Locker performs after infecting a system is to check the infected machine’s locale.  If it finds a match with certain countries, including Russia, Ukraine, and Belarus, the malware does not execute, and the process is terminated.  Otherwise, the ransomware starts extracting information about the infected machine and attempts to identify the existing file volumes on the host.  The researchers noted that after the identification phase, Ragnar Locker starts encrypting files and creates a ransom note, which is then displayed to the victim.  The researchers also stated that Ragnar Locker is able to check if specific products are installed, particularly security software like antivirus, virtual-based software, backup solutions, and IT remote management solutions, in order to circumvent their defenses and avoid detection.

Infosecurity reports: "Ragnar Locker Ransomware Targets Energy Sector, Cybereason Suggests"