The FBI has reported that the RagnarLocker ransomware has affected 52 entities across 10 critical infrastructure sectors, including financial services, energy and information technology, as of January.
RagnarLocker, which the FBI came upon in April 2020, deploys with changing obfuscation techniques to stay unnoticed, the agency said in a FLASH report published on Monday.
Associated cyber actors use the “.RGNR_<ID>” extension for RagnarLocker and provide a .txt file containing the instructions to decrypt data locked by the ransomware.
RagnarLocker targets attached hard drives using CreateFileW, DeviceIoControl, GetLogicalDrives and SetVolumeMountPointA application programming interfaces on Windows.
The ransomware terminates services that managed service providers use to remotely handle networks, then locks files via encryption. The malware also prevents file recovery by deleting volume shadow copies.
FBI recommends organizations implement a number of mitigation practices, such as securing back-ups, patching computers and using multi-factor authentication.