Ragnar Locker Ransomware Attacked Energy Sector
Industry: Energy | Level: Tactical | Source: Cybereason
Cybereason's threat analysis reports provide an analysis of Ragnar Locker ransomware's (active since 2019) most recent breach to Greek natural gas operator DESFA on August 23rd, 2022, with no impact to the gas supply. Attacks against any critical infrastructure are concerning given "Greece has an extremely strategic place for energy since gas from other places (Israel, for instance) flows to Europe." Static analysis of the Ragnar Locker malware's execution flow identified it started with a host data collection specifically to conduct a country match to determine if it would, deleting shadow copies with vssadmin and wmic, and finally data encryption, dropping a ransom note. The attack against DESFA marks the fourth energy provider hit recently by ransomware groups. Other energy companies attacked include ENN Group by Hive ransomware, Creos/Encevo hit by BlackCat/ALPHV, and South Staffordshire PLC attacked by Cl0p ransomware.
Anvilogic Use Cases:
- WinRM Tools
- Inhibit System Recovery Commands