SecurityWeek reports that Ragnar Locker ransomware had its encryption process examined by Cybereason researchers.
Execution of Ragnar Locker prompts a location check, wherein it will terminate the process should the target be located in any country within the Commonwealth of Independent States. However, those not within the CIS will have system information collected and concealed with a custom hashing function.
Numerous services within the ransomware strain are then decrypted prior to the decryption of an embedded RSA public key and ransom note. Ragnar Locker then begins encryption of files excluding autoruns.inf, boot.ini, bootfront.bin, bootsect.bak, and many others. Encrypted files are then given the '.ragnar_[hashed computer name]' suffix before the creation of a notepad.exe process that displays the ransom note, according to the report.
"In general, ransomware operatives doing double extortion always require full privileges on the network they are looking to encrypt... Between the initial access phase (when they take control of an asset, for instance through spearphishing) and the encryption phase, they have access to many machines, which they can extract data from and send through exfiltration services / external domains," said Cybereason Global SOC Principal Security Analyst Loic Castel.
Officials at the City of Augusta, Georgia, have been noted by Mayor Garnett Johnson to have not communicated with the BlackByte ransomware operation that took credit for a cyberattack against the city that commenced on May 21, according to The Record, a news site by cybersecurity firm Recorded Future.
Attacks exploiting a zero-day in the MOVEit Transfer file transfer app to compromise various servers and facilitate data exfiltration efforts have been admitted by the Clop ransomware operation, also known as Lace Tempest, TA505, and FIN11, after the intrusions have been attributed to the group by Microsoft, reports BleepingComputer.
University of Waterloo in Canada has disclosed that its on-campus Microsoft Exchange servers have been impacted by an averted ransomware attack on May 30, according to The Record, a news site by cybersecurity firm Recorded Future.