The recent attack on Greece’s largest natural gas transmission operator DESFA by ransomware gang Ragnar Locker is the latest on a growing list of incidents where ransomware groups attacked energy companies. This gang seems to prefer critical infrastructure sectors, having targeted over 50 such organizations in the U.S. over the past two years.
According to a new analysis by researchers from Cybereason, Ragnar Locker is a growing threat that uses layers of encryption to hide instructions in its binary and kills various processes associated with remote login and support.
A growing list of energy sector ransomware victims
The attack against DESFA came to light last week when the Ragnar Locker gang released 360GB of data stolen from the company via its data leak site. Like modern ransomware groups, Ragnar Locker employs double extortion, first by encrypting files and ransoming the decryption key and then by stealing sensitive data from victims and threatening to release them.
DESFA confirmed that it was the target of a cyberattack and said it didn’t plan to negotiate with the attackers. The company, which operates Greece’s natural gas transmission and distribution systems, said that while some of its IT systems were impacted, the supply of natural gas was not disrupted.
Even if the gas distribution was not affected in this case, the May 2021 ransomware attack against Colonial Pipeline, a major oil and gasoline pipeline operator in the U.S. is proof that such disruptions can happen and they can have major economic impact, especially at a time when Europe faces growing energy prices and gas shortages. Colonial Pipeline was forced to shut down its pipeline for days causing fuel shortages across the U.S. East Coast.
In early August, the Hive ransomware group claimed an attack against Chinese gas and energy producer ENN Group. In July, Creos, a company that manages electricity networks and natural gas pipelines in Luxembourg was hit by the BlackCat ransomware gang, and two weeks ago, South Staffordshire Plc, a U.K water utility suffered a cyberattack by the Clop ransomware gang.
Ragnar Locker also seems to focus on organizations related to critical infrastructure. In March, the FBI issued an alert about the threat warning organizations that since 2020, it has identified at least 52 entities across ten critical infrastructure sectors in the U.S. that were hit by this ransomware, which included organizations in critical manufacturing, energy, financial services, government, and information technology. Since the recent DESFA attack, Ragnar Locker also claimed an attack on Portugal’s flag carrier airline, TAP Air Portugal.
How Ragnar Locker encrypts systems
Once deployed on a computer, the Ragnar Locker ransomware first checks if the system’s locale is set to one of 12 countries in the Commonwealth of Independent States (CIS) and stops executing if this is there’s a match. This is a common technique used by ransomware authors from former USSR countries to avoid attracting the attention of local authorities in their region.
The program then collects system information, such as the computer name, username, the unique machine GUID and creates a hash value that will be used as an identifier for the victim machine. It then iterates through all the local disk volumes and deletes the volume shadow copies to prevent easy data recovery.
The malware then starts decrypting certain sections of its binary that were encrypted with the RC4 cipher. One section contains a list of processes that will be killed if found running on the machine. These include vss, sql, memtas, mepocs, sophos, veeam, backup, pulseway, logme, logmein, connectwise, splashtop, kaseya, vmcompute, Hyper-v, vmms and Dfs. Some of these processes are associated with remote support tools or data backup services.
Another RC4-encrypted section contains an RSA public key that will be used to encrypt the file encryption keys. The ransomware uses the performant Salsa20 encryption algorithm to encrypt files, aside from those on an exclusion list that are meant to keep the system and any installed browsers operational. The encrypted files receive the suffix .ragnar_[hashed computer name].
Finally, the ransom note is generated as a .txt file and is displayed by launching a Notepad process. The note contains instructions on how to contact the attackers along with a warning that if no contact is made within two weeks the decryption key will be deleted and any files copied from the organization’s computers will be publicly released or sold off.
According to a report this month from industrial cybersecurity firm Dragos, 125 ransomware incidents were launched by 23 groups that impacted industrial organizations during the second quarter of 2022. Conti, a prolific ransomware gang that reportedly shut down its operations in May, accounted for around a quarter of these attacks, but other groups are clearly continuing the trend. Europe was the most impacted region, with 37% of the attacks, followed by the U.S. with 29% and Asia with 26%.
“In Q3 of 2022, Dragos assesses with high confidence that ransomware will continue to disrupt OT [operational technology] operations, whether through the integration of OT kill processes into ransomware strains, flattened networks allowing for ransomware to spread into OT environments, or through precautionary shutdowns of OT environments by operators to prevent ransomware from spreading to OT systems,” the company said.