Processes spurring from the Ragnar Locker Ransomware have affected at least 52 critical infrastructure victims since January, but will terminate if it encounters systems in certain Russian and near-Russian locations.
Cybersecurity and Infrastructure Security Agency Executive Director Brandon Wales emphasized the importance of small and medium sized organizations preparing for ransomware attacks in the wake of a warning officials issued to be on the lookout for a threat actor known as the Ragnar Locker gang, which appears to avoid Russia-related entities.
“These issues that you're addressing and bringing together the small- and medium-sized businesses on are absolutely essential,” Wales said, “both given our current threat environment and because we know that these issues are front of mind, for business leaders throughout the country.”
Wales spoke during an event hosted by the Aspen Institute on Tuesday, which simulated a ransomware attack to highlight unforeseen challenges that arise over the course of a victim’s response. He reiterated that CISA currently doesn’t deem the homeland to be under cyber threat, but his remarks follow an FBI Flash warning the National Cyber Awareness System pushed out Tuesday on ransomware that’s coded to circumvent entities in and around Russia.
“We've made it clear on a number of occasions, but at this time we are not aware of any specific or credible cybersecurity threat to the homeland,” Wales said. “That being said, we are mindful of the potential for Russia to escalate destabilizing actions it's taking inside of Ukraine that could have impacts outside of Ukraine, and we've been working across our federal government to ensure our departments and agencies have taken the necessary steps to be protected and on guard against what is possible.”
The FBI has tracked at least 52 U.S. organizations across 10 critical infrastructure sectors—including in manufacturing, energy, finance, IT and government—that have been affected by Ragnar Locker ransomware, as of January, according to the Flash report.
The bureau previously released a flash warning on the Ragnar Locker gang in November 2020, noting then about the group’s ransomware: “If the victim’s locale is found to be ‘Azerbaijani,’ ‘Armenian, ‘Belorussian,’ ‘Kazakh,’ ‘Kyrgyz,’ ‘Moldavian,’ ‘Tajik,’ ‘Russian,’ ‘Turkmen,’ ‘Uzbek, ‘Ukrainian’ or ‘Georgian,’ the process will terminate.”
The new warning includes an updated list of indicators of compromise, including IP, email and Bitcoin addresses.