Analyst Report
Back to Newsroom

Cybereason Warns Global Critical Infrastructure Operators After Attacks from Ragnar Locker Ransomware Gang

Sep 1, 2022

Cybereason, the XDR company, today issued a global Threat Analysis Report investigating the Ragnar Locker ransomware gang and its attacks on networks of global critical infrastructure operators. Ragnar Locker first emerged in 2019, and since its debut hundreds of companies have been victimized. Cybereason assesses the threat level of Ragnar Locker ransomware attacks against critical infrastructure operators as HIGH.

After Ragnar Locker carried out more than 50 successful attacks against U.S. critical infrastructure operators, the FBI issued a Flash Advisory earlier this year warning the operators to increase their diligence against possible attacks. Recently, Ragnar Locker claimed responsibility for an attack on DESFA, Greece’s largest natural gas provider. 

Ragnar Locker has been using the double extortion scheme on their victims. Double extortion works when attackers penetrate a victim’s network, steal sensitive information by moving laterally through the organization and threaten to publish the stolen data unless the ransom demand is paid.

Other key findings of the investigation include:

--Security Evasion Capabilities: Ragnar Locker checks if specific products are installed, especially security products (antivirus), virtual-based software, backup solutions and IT remote management solutions.

--Active for Three Years: Ragnar Locker is both a ransomware group and the name of the software in use. They have been running since 2019 and targeting critical industries. They use the double extortion scheme.

--Excluding the Commonwealth of Independent States: Ragnar Locker avoids being executed from countries since the group is located in the Commonwealth of Independent States (CIS).


Ransomware attacks can be prevented. Cybereason offers these recommendations to organizations to reduce their risks: 

--Practicing good security hygiene like implementing a security awareness program for employees, assuring operating systems and other software are regularly updated and patched.

--Assuring key players can be reached at any time of day as critical response actions can be delayed during holiday and weekend periods when attacks occur during off hours.

--Conducting periodic table-top exercises and drills and including those beyond the security team like Legal, Human Resources, IT Support and all the way up to the Executive Suite is also key to running a smooth incident response.

--Ensuring clear isolation practices are in place to stop any further ingress on the network or spreading of the ransomware to other devices. Teams should be proficient at things like disconnecting a host, locking down a compromised account, and blocking a malicious domain, etc. Testing these procedures with scheduled or unscheduled drills at least every quarter is recommended. 

--Evaluating lock-down of critical accounts when possible. The path attackers often take in propagating ransomware across a network is to escalate privileges to the admin domain-level and then deploy the ransomware. Teams should create highly secured, emergency-only accounts in the active directory that are only used when other operational accounts are temporarily disabled as a precaution or inaccessible during a ransomware attack.

--Deploying EDR on all endpoints. The quickest remedy to the ransomware scourge for public and private sector businesses is deploying EDR on endpoints according to Gartner’s Peter Firstbrook. Yet Firstbrook says that only 40 percent of endpoints have EDR.

About Cybereason                                                                                                                            Cybereason is the XDR company, partnering with Defenders to end attacks at the endpoint, in the cloud and across the entire enterprise ecosystem. Only the AI-driven Cybereason Defense Platform provides planetary-scale data ingestion, operation-centric MalOp™ detection, and predictive response that is undefeated against modern ransomware and advanced attack techniques. Cybereason is a privately held international company headquartered in Boston with customers in more than 40 countries.

Media contact: 

Bill Keeler 

Senior Director, Global Public Relations 


+1 (929) 259-3261