In this Threat Analysis Report, the Cybereason GSOC investigates the Ragnar Locker malware family, a ransomware and a ransomware operator which has recently claimed to have breached DESFA, a Greek pipeline company.
This report provides context over this recent breach as well as an overview of the Ragnar Locker ransomware through a dynamic analysis and a reverse engineering analysis.
Breach of a Pipeline Company : DESFA is a strategic energy-related company that has been claimed by Ragnar Locker as their victim.
Security Evasion Capabilities : Ragnar Locker checks if specific products are installed, especially security products (antivirus), virtual-based software, backup solutions and IT remote management solutions.
Ransomware Actors Targeting the Energy Sector : This is the second important pipeline company that has been hit by ransomware, along with Colonial Pipeline. Furthermore, four energy companies have been hit recently by ransomware, including three in Europe.
Active for Three Years : Ragnar Locker is both a ransomware group and the name of the software in use. They have been running since 2019 and targeting critical industries. They use the double extortion scheme.
Excluding the Commonwealth of Independent States : Ragnar Locker avoids being executed from countries since the group is located in the Commonwealth of Independent States (CIS).