3rd Party Risk Management , Business Continuity Management / Disaster Recovery , Critical Infrastructure Security

Ransomware Groups Target Global Critical Infrastructure

52 US Organizations on RagnarLocker Radar; Hive Attacks Romanian Petrol Giant
Ransomware Groups Target Global Critical Infrastructure
Critical infrastructure on alert. Pictured: Russellville nuclear power plant in U.S. (Photo: Edibobb via Wikipedia)

Ransomware groups continue to target critical infrastructure around the globe.

See Also: Modernizing Malware Security with Cloud Sandboxing in the Public Sector

In the U.S., the FBI has issued an alert about the RagnarLocker ransomware group targeting at least 52 entities across 10 critical infrastructure sectors. And in Romania, petrol supplier Rompetrol has reportedly been hit by the Hive ransomware group, suspending its Fill&Go services.

RagnarLocker's Growing Footprint

The FBI on Monday released a flash alert, warning users and organizations in the U.S. to remain vigilant about the RagnarLocker ransomware group's growing footprint.

"As of January, the FBI has identified at least 52 entities across 10 critical infrastructure sectors affected by RagnarLocker ransomware, including entities in the critical manufacturing, energy, financial services, government, and information technology sectors," the alert says.

The FBI, in its technical analysis, says that the ransomware group is known for frequently changing its obfuscation methods to avoid detection, and focuses on geo-targeting. To achieve this, the FBI says that operators of RagnarLocker use a Windows API GetLocaleInfoW. The API helps them identify the location of the infected machine, and if the victim's location is identified as Azerbaijani, Armenian, Belarus, Kazakhstan, Kyrgyzstan, Moldavia, Tajikistan, Russia, Turkmenistan, Uzbekistan, Ukraine or Georgia, then the process of ransomware infection is automatically terminated.

When it comes to deployment, "RagnarLocker uses VMProtect, UPX, and custom packing algorithms and deploys within an attacker's custom Windows XP virtual machine on a target's site," the alert says.

According to the FBI, RagnarLocker also uses other Windows APIs, such as CreateFileW, DeviceIoControl, GetLogicalDrives and SetVolumeMountPointA, to identify all attached hard drives. It then assigns a drive letter to those that have not been assigned a logical drive letter and makes them accessible. "These newly attached volumes are later encrypted during the final stage of the binary," the alert says.

A Picky Ransomware

Until now, RagnarLocker ransomware operators have been sophisticated in choosing geo-targets and in analyzing the victim's system by using several Windows APIs.

But this is not the end of it, according to the FBI.

"Instead of choosing which files to encrypt, RagnarLocker chooses which folders it will not encrypt. Taking this approach allows the computer to continue to operate normally while the malware encrypts files with known and unknown extensions containing data of value to the victim," the FBI says.

The FBI also shared a list of folders that are not encrypted by the malware:

  • Windows
  • Windows.old
  • Mozilla
  • Mozilla Firefox
  • Tor browser
  • Internet Explorer
  • $Recycle.Bin
  • Program Data
  • Google
  • Opera
  • Opera Software

The RagnarLocker ransomware also does not encrypt files with extensions certain extensions - .db, .sys, .dll, .lnk, .msi, .drv, and .exe - the FBI says in its alert.

Apart from the modus operandi and the technical analysis of the RagnarLocker ransomware family, the FBI, in its alert, also described other indicators of compromise for the group, such as IP addresses, Bitcoin addresses and email addresses used by the group's operators.

Rompetrol Incident

On Monday, oil group and KMG International subsidiary Rompetrol published a Facebook post saying that it was facing a "complex cyberattack." The attack, it said, had forced the company to take its websites and the Fill&Go service at gas stations offline. At the time of writing, both the KMG International and Rompetrol websites are offline.

Rompetrol's cyberattack notification (Source: Facebook page of Rompetrol)

The company, in its post, says it is in constant contact with the National Directorate of Cyber Security - or DNSC - to resolve the situation.

The DNSC acknowledged this contact in a press release. Certain services were affected due to the cyberattack, it says, adding that the organizations' websites were down to protect their data.

"To protect the data, the company has temporarily suspended the operation of the sites and the Fill&Go service, both for fleets and for individuals. [But] the activity of the Rompetrol gas stations is carried out normally, the customers having at their disposal the option of payment in cash or by bank card," the DNSC says.

Martial Gervaise, deputy cybersecurity director of telecom company Orange, tweeted that the Hive ransomware group was behind the cyberattack, citing screenshots of what appears to be a ransom note. He does not cite the source of his information. The group, he says, demanded a $2 million ransom to hand over the decryptor and to not publicly leak stolen data on its Tor site, HiveLeaks.

KMG International and Rompetrol have not responded to Information Security Media Group's request for confirmation of Gervaise's claim.

The attackers reportedly had access to the internal systems or networks of Rompetrol's Petromidia refinery, a report in media outlet Bleeping Computer says, citing an anonymous source. But the DNSC, in a statement, clarifies that "the activity of the Petromidia refinery is not affected."

Hive Decryptor

In February, security researchers from South Korea’s Kookmin University found a way to decipher Hive's encryption algorithm without using the master key.

"To the best of our knowledge, this is the first successful attempt at decrypting the Hive ransomware," the researchers say in the report.

Their experiment showed that more than 95% of the keys used in encryption could be recovered due to a cryptographic flaw they discovered during analysis. This led to the researchers finding a method for decrypting encrypted files without using the attacker's private key.

This, the researchers say, was possible since they found that the Hive ransomware does not use all bytes of the master key encrypted with the public key. "Using our proposed method, more than 95% of the master key used for generating the encryption keystream was recovered. Most of the infected files could be recovered by using the recovered master key. We expect that our method will be helpful for individuals and enterprises damaged by the Hive ransomware," the researchers say.

"While it may seem like ransomware is unavoidable, and being prepared to respond to an infection is important, there are preventive measures that organizations can take to reduce the risk of becoming a victim," says Tim Erlin, vice president of strategy at software company Tripwire.

Ransomware does not "magically appear" on the systems, Erlin tells ISMG.

"Attackers have to find a way to install their preferred flavor of ransomware on your systems, and shutting down common attack vectors will reduce the risk," he says.

Erlin says that attackers will take advantage of insecurely configured and vulnerable systems: "A noncritical system may provide the attacker with an initial foothold from which they can expand and move laterally."


About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.