A new FBI report has revealed that at least 52 critical national infrastructure (CNI) entities have been compromised by a ransomware variant.
The FBI has claimed that organizations across 10 CNI sectors had been impact as of January this year. Key sectors include manufacturing, financial services, government and IT.
The group has change it’s tools, techniques and procedures (TTPs) in an attempt to stay hidden, but the Feds have revealed that the group typically uses VMProtect, UPX and custom packing algorithms, deploying a custom Windows XP virtual machine on the victim’s site.
“RagnarLocker iterates through all running services and terminates services commonly used by managed service providers to remotely administer networks. The malware then attempts to silently delete all Volume Shadow Copies, preventing user recovery of encrypted files,” the report explained.