Ragnar Locker ransomware hacked

Updated on 2022-11-28: Ransomware Operators Leak Belgian Police Force Data

Ransomware operators who thought they were targeting a Belgian municipality in Antwerp instead stole from the Zwijndrecht police force in that city. The attackers leaked the data, which includes crime report files, investigation reports, traffic camera footage, and personnel information. The attackers reportedly leveraged an inadequately secured Citrix endpoint to gain access to the targeted network.

Note

• Talk about collateral damage. This is not the way to find out your endpoints are not properly secured. Take a look at your scan results making sure that findings (secure configurations, patching, end-of life, etc.) are being resolved according to your risk ratings, maybe make sure those risk scoring/ratings are still appropriate. Now, go look at all your external services, outsource, cloud, private cloud, etc. and have a clear understanding of who is on the hook for similar actions, then verify they are done within an acceptable level of risk. Make sure as much of this that can be automated is. Before going out to license new capabilities, check to see what is available/licensed which may not be fully utilized, if at all.
• Human error, coupled with lack of configuration and patch management is often the root cause of successful ransomware attacks. The recently published ‘Blueprint for Ransomware Defense’ can serve as an action plan for ransomware mitigation, response, and recovery for the Belgian police force.

Read more in

• Ransomware gang targets Belgian municipality, hits police instead
• Belgian Police Under Fire After Major Ransomware Leak

Updated on 2022-11-27

The Ragnar Locker ransomware group started leaking the sensitive data it stole from the Zwijndrecht police force, Belgium. The threat actor even gained access to records dating back to 2006. Read more: Belgian Police Under Fire After Major Ransomware Leak

Updated on 2022-11-26: Zwijndrecht police ransomed

The Ragnar Locker ransomware gang has hacked and is now extorting the police department of the Belgian city of Zwijndrecht. The group claims to have obtained information detailing thousands of license plates, speeding fines, and even criminal investigations, ranging from 2006 to September 2022. Police officials said they detected the attempt to encrypt their servers and shut down their network for two weeks while they investigated and restored services. Ragnar Locker has already leaked some of the files on their dark web leak site. Read more: Een van de grootste datalekken bij politie ooit: hacker gooit flitsboetes, nummerplaten en zelfs foto’s van mishandelde kinderen op straat

Updated on September 2022

The Ragnar Locker group was found selling the stolen information, including name, nationality, sex, date of birth, address, contact details, of 1.5 million TAP Air Portugal customers on the dark web. Read more: Cyberattack Steals Passenger Data From Portuguese Airline

Updated on August 2022: Greek Natural Gas Company Hit with Cyberattack

A natural gas distribution company in Greece was the target of a cyberattack. The incident compromised some data and was responsible for an IT system outage. The Ragnar Locker ransomware group has claimed responsibility for the attack.

Note

• The attack impacted their online services, not their gas delivery (OT) systems. DESFA is taking a conservative approach of validating and restoring all non-OT IT services, rather than just known compromised systems, before bringing them back online. That is a scenario worth discussing at your next tabletop. While there is no such thing as perfect security, there are steps you can take, like these, to reduce the likelihood of recurrence.

Read more in

• Greek natural gas operator suffers ransomware-related data breach

Updated on March 2022: FBI Alert: RagnarLocker Ransomware

The FBI has published an FBI TLP:WHITE flash alert about RagnarLocker ransomware. According to the alert, the RagnarLocker ransomware group has targeted networks of at least 52 US critical infrastructure organizations. The alert includes technical details and indicators of compromise.

Note

• Make sure you have those IOCs incorporated into your threat detection platform. When reading the techniques, note the list of locations are where the ransomware doesn’t operate. Additionally, it is selective about what it encrypts, leaving the system deceptively operating. The bulletin includes mitigations, what information is needed to report an attack, as well as resources including the FBI and CISA local offices. The FBI is poised to help if you discover this stealthy malware on your network.

Read more in

• FBI: Ransomware gang breached 52 US critical infrastructure orgs
• RagnarLocker Ransomware Indicators of Compromise (PDF)

Updated on June 2021: Ransomware Operators Leak Data Stolen from ADATA

Data stolen from Taiwanese memory and storage manufacturer ADATA has reportedly been leaked online. ADATA’s network was the target of a ransomware attack in late May. The ransomware operators appear to have stolen at least 700GB of archived data. The service where the data were being hosted closed the ransomware operators’ account.

Note:

• While the MEGA storage service has closed their account, the Ragnar operators still have the data and will find another location to distribute it. This raises the concerns about where your exfiltrated data could be located and who has copies, despite assurances from the operators it will be deleted upon receipt of payment. It may be simpler to operate on a model that exfiltrated data has been released publicly and to build your response plan from there.
• Ransomware is nothing more than malware; what makes it so effective is how criminals monetize the infections. Originally, monetization was via targeting availability, but criminals then added the impact of exposing confidentiality, as they did here. Depending on your industry, one of these two is bound to have a significant impact to your organization, thus the rise in payments.

Read more in:

• ADATA suffers 700 GB data leak in Ragnar Locker ransomware attack

Updated on November 2020: Capcom Discloses Cyberattack

Video game developer Capcom has disclosed that some of its networks were hit with a cyberattack on November 2. In a press release, Capcom said “it has halted some operations of its internal networks.” The attack appears to have affected Capcom’s email system as well; a notice on the company’s website says that it is currently “unable to reply to inquiries and/or to fulfill requests for documents.“ Read more in:

• Capcom quietly discloses cyberattack impacting email, file servers
• Capcom hit by Ragnar Locker ransomware, 1TB allegedly stolen

Updated on August 2020: US Travel Agency CWT Reportedly Paid $4.5M Ransomware Demand

Corporate travel agency CWT, formerly known as Carlson Wagonlit Travel) has confirmed that its network was shut down due to a ransomware attack in late July. The company reportedly paid $4.5 million to regain access to its encrypted data. The strain of ransomware used in the attack appears to be Ragnar Locker. Read more in:

• First rule of Ransomware Club is do not pay the ransom, but it looks like Carlson Wagonlit Travel didn’t get the memo
• ‘Payment sent’ – travel giant CWT pays $4.5 million ransom to cyber criminals
• CWT Travel Agency Faces $4.5M Ransom in Cyberattack, Report

Updated on May 2020: Ransomware Deploys Virtual Machine to Evade Detection

Researchers from Sophos found that the RagnarLocker ransomware group is installing the Oracle VirtualBox app to run virtual machines (VMs) on targeted computers. The attackers use the VM to execute the ransomware and evade detection. The RagnarLocker operators choose their targets carefully, focusing exclusively on corporate and government networks.

Editor’s Note: The targets chosen are more likely to be running VirtualBox, so its presence alone is not necessarily a red flag. This attack installs an unsigned SunxVM VirtualBox MSI from 2009, which should trigger endpoint defenses. Unplanned disabling of backup and remote management utilities also merits follow-up. As this group is also known for exfiltrating data, expect threats of data disclosure to accompany ransom demands. Read more in:

• Forget BYOD, this is BYOVM: Ransomware tries to evade antivirus by hiding in a virtual machine on infected systems
• Attackers’ use of virtual machine to hide ransomware is a first, say researchers
• Ransomware deploys virtual machines to hide itself from antivirus software
• Ransomware encrypts from virtual machines to evade antivirus
• Ragnar Locker ransomware deploys virtual machine to dodge security

Overview: European Energy Company Faces Ransomware Demand

Systems at European energy company Energias de Portugal (EDP) were hit with ransomware on Monday, April 13, 2020. The Lisbon-based company says it is working with authorities regarding the attack. The operators of the Ragnar Locker ransomware are threatening to publish or sell data stolen from the company if it does not pay the 1,580 bitcoin (€10.3 million, US $11.2 million) demand.

Note: It is very late to be seeing so many successful extortions based on weak cyber security. Raise the cost of attack against your systems and improve your resilience. The bad news is that you need to raise the cost of attack about ten-fold to be effective. The good news is that you are on the flat part of the security cost curve where you can get a big bang for your bucks. Lack of budget is not an excuse; there is always money for that which must be done. Ask for it over and over until you get it. That is called “your job.” Read more in:

• Energy Giant EDP Hit With €10 Million Ransomware Threat
• RagnarLocker ransomware hits EDP energy giant, asks for €10M
• Ragnar Locker’s well-conceived ransomware attack on Energias de Portugal