The FBI detailed indicators of compromise for the RagnarLocker ransomware group in a report released Tuesday. Pictured: The seal of the FBI hangs in the Flag Room at the bureau's headquarters March 9, 2007, in Washington. (Photo by Chip Somodevilla/Getty Images)

The Federal Bureau of Investigation (FBI) on Tuesday released a Flash report that details the indicators of compromise (IOCs) associated with ransomware attacks by RagnarLocker, a group of a ransomware actors targeting critical infrastructure sectors.

Users and administrators were encouraged by the Cybersecurity Infrastructure and Security Agency (CISA)  to review the IOCs and technical details in the report and apply the recommended mitigations.

Since RagnarLocker’s emergence in 2020, the group has largely applied similar infiltration and encryption approaches: apply brute force on internet-facing RDP or purchasing access into environments from the dark web, explained Matthew Warner, co-founder and CTO at Blumira. Warner said there are very few cases of RagnarLocker being introduced through phishing emails. Rather it depends on vulnerable infrastructure to reach into organizations.

“To prevent these potential threats, organizations should reduce their attack surface by removing any internet-facing RDP servers and enabling multi-factor authentication at all points of access into the environment,” Warner said. “Evaluate your attack surface beyond just listening servers; for example, if your VPN has groups that do not require multi-factor authentication, you should change those settings to reduce risk. RagnarLocker also exfiltrates data in many cases. Monitoring large transfers in and out of your infrastructure will help detect RagnarLocker operators within the environment."

Saumitra Das, co-founder and CTO at Blue Hexagon, said ransomware continues to proliferate in critical infrastructure entities because our prevention-based controls like endpoint AV and firewalls that rely on threat intelligence matching and signatures and are very easy to evade. 

“The widespread prevalence of RagnarLocker is evidence of the problems with the current defense,” Das said. “This specific family has some interesting attributes where it’s not just trying to disable endpoint security tools, but also remote admin tools used by managed service providers like Kaseya so that they remain hidden. They are also careful to only encrypt specific files such that the machines remain operable while the encryption is happening.”