The FBI has issued an alert over the RagnarLocker gang, a group known to use crafty techniques like running ransomware inside a virtual machine to evade antivirus detection.
The law enforcement agency said it became aware of RagnarLocker in April 2020 and that, as of January 2022, it had “identified at least 52 entities across 10 critical infrastructure sectors affected by RagnarLocker.”
These include entities in critical manufacturing, energy, financial services, government, and tech. The ransomware group frequently changes its obfuscation techniques to avoid detection and prevention, it notes.
Deploying RagnarLocker in a stripped down virtual instance of Windows XP was one of those obfuscation methods. This tactic allowed the group to hide from local antivirus software and provided more time to encrypt files. The group was known for selecting enterprise targets only and has in the past compromised managed service provider tools to then breach their customers.
The FBI’s warning is contained in a new Flash alert published in coordination with the Cybersecurity and Infrastructure Security Agency.
The FBI notes that RagnarLocker still deploys within the attacker’s custom Windows XP virtual machine on a target’s site and