Ragnar Locker ransomware has made international headlines lately due to targeted attacks against ADATA, a Taiwanese memory and storage manufacturer.
Like many other well-known ransomware variants (such as DarkSide, Avaddon, and REvil), the current variant of Ragnar Locker uses a double extortion technique to encourage victims to pay, where data is both encrypted locally and exfiltrated before the ransom demand is made. If the victim refuses to pay, their confidential data is published to a site located on the dark web.
Ragnar Locker currently claims to have exfiltrated 1.5TB of data from ADATA. According to the website, this information has been carefully gathered for a long time. As ADATA has (to date) refused to cooperate with Ragnar Locker and pay the ransom demand, download links of the stolen data were made available on Ragnar Locker’s leak site on June 16, 2021.
In an email to Bleeping Computer, ADATA confirmed that it was hit by this particular ransomware attack on May 23, 2021. It responded by immediately taking down all impacted systems and notifying all relevant international authorities of the incident.
Prevention First
At BlackBerry, we take a prevention-first and AI-driven approach to cybersecurity. Putting prevention first neutralizes malware before the exploitation stage of the kill-chain, preventing ransomware from gaining access to critical files and data in the first place.
By stopping malware at this stage, BlackBerry® solutions help organizations increase their resilience to cyberattacks and cyber-extortion attempts. BlackBerry solutions also help reduce infrastructure complexity and streamline security management to ensure businesses, people, and endpoints are secure.
The BlackBerry Threat Research Team has analyzed the attack methods used by this threat, and in addition to recommending basic cyber hygiene steps, strongly urges BlackBerry customers to ensure their systems have BlackBerry® Protect enabled with a blocking policy, and BlackBerry® Optics enabled to detect threats that trigger the rules noted below.
BlackBerry Protect, BlackBerry Optics and BlackBerry Guard stop these attacks.
Our customers can feel confident that our AI-driven security products, as well as our Managed Detection & Response (MDR) solution, are all well-equipped to mitigate the risks posed by threat actors leveraging patch vulnerabilities:
- BlackBerry Protect, our endpoint protection product, can help shield customers from a Ragnar Locker ransomware attack. BlackBerry Protect stops the attack during the reported first stage of malware execution, protecting customers and their data from further impact.
- BlackBerry Optics, our Endpoint Detection and Response (EDR) product, can also help mitigate against a Ragnar Locker ransomware attack. BlackBerry recommends the following BlackBerry Optics rules to be activated:
- Win User Execution Mitre T1204
- Win Possible Base64 Encoding Mitre T1132
- Shadow File Deletion (MITRE)
- Win Inhibit System Recovery Mitre T1490
- Win BootRecoveryMeasure Deletion Mitre T1107
- Win FileExtensions LocalSystemCollection NonSYS Mitre T1005
- Win Boot Persist Mitre T1547
- Win FileExtensions LocalSystemCollection Mitre T1005
- Win PrivateKey Modification Mitre T1145
- BlackBerry® Guard customers are proactively protected, and our 24/7 MDR solution customers receive:
- Alerts monitored in real-time
- Corrective policies applied while discovering gaps in policy implementation
- Prioritized threat hunting
- The latest threat intelligence for fast-moving threats
The BlackBerry Incident Response Team can work with organizations of any size and across any vertical, to evaluate and enhance their endpoint security posture and proactively maintain the security, integrity, and resilience of their network infrastructure.
For emergency assistance, please email us at DLIR@blackberry.com, or use our handraiser form.
Learn more about the latest cybersecurity threats and threat actors in the BlackBerry 2021 Annual Threat Report.