Ragnar Locker: the hacker group that attacked EDP and TAP remains a mystery. And it will probably stay that way

Why have 250 dollars when you can get 10 or 20 million? The question is posed by Vítor Ventura, a cybersecurity researcher at Cisco Talos, but long before that it was already being worked on by the Maze group, which was dedicated to blocking computers and databases and demanding a ransom in return, as dictated by strict rules. ransomware. After finding the answer to the initial question, the group began to devote itself to attacks on large companies, around 2019. Not long after, already in 2020, it disbanded – but the turning point was made. In a yet-to-be-explained link, a page appears on the Dark Web that links Maze to other ransomware groups – and it is on this page that the first reference to Ragnar Locker, as a group specializing in attacks on large companies – appears, such as EDP and TAP, who are among the known victims in Portugal.

“TAP is not obtained by accident. There was even an intention to attack a company like TAP”, guarantees Vítor Ventura.

Presumably, Vítor Ventura’s analysis can also be applied to the attack Ragnar Lockers launched in June 2020 against EDP. At that time, only the architecture of the power grid prevented part of the country from remaining in the dark after the infection and blocking of computers and data stores and the demand for a 10 million euro ransom. EDP ​​has always denied that it paid the ransom – and the account Ragnar Lockers made available for paying the ransom in bitcoins confirms that it has not received any transaction since its creation. Which could be proof that EDP didn’t actually pay any ransom.

Not all cases will be like this. And there are those who admit that some companies offer ransom payments via alternative methods to those proposed by cybercriminals, precisely to avoid embarrassing evidence of collaboration with criminals.

“Ransomware groups are always emerging because there are companies that pay ransoms. But they didn’t have to pay. That money should be invested in data protection and backups,” suggests David Russo, chief technology officer at cybersecurity firm CyberS3c.

FBI vs. two years of mystery

EDP​​​​ became one of the first victims of the Ragnar Locker group – but the mystery about the group did not dissipate over the next two years.

“At one point it was thought that Maze had turned into a cartel, but the truth is that it soon disappeared. Of course, none of this prevents ringleaders from continuing their activities in other groups. In the case of Ragnar Locker, it has always been a discreet group, unlike, for example, the Lockbits who make more of a fuss. Ragnar Lockers carry out attacks, reveal information about victims depending on whether they receive money or not, and then discreetly move on to other targets,” describes Vítor Ventura.

On the Dark Web, the site Ragnar Locker confirms that there are important names among the victims of the alleged discretion of the ransomware group. The company that manages the oil pipeline in Greece under the brand DEFSA, the decoration company Jonathan Adler, the aircraft manufacturer Dassault Falcon Jet or Northern Data Systems are among those attacked – but most of the victims are not known beyond the borders of origin. And the worst may be yet to come: According to a report released in March by FBI law enforcement officials in the US, Ragnar Lockers has data from 52 entities in 10 sectors connected to the infrastructure that supports day-to-day operations.

Apart from the FBI report, not much more information about the ransomware group has been revealed by the authorities – not even the Portuguese police investigating the attacks on TAP or EDP.

“They are not exactly a group of amateurs. Only with good organization is it possible to produce ransomware (to infect computers), develop encryption algorithms (to keep computers locked) and even manage cryptocurrency wallets (to receive ransoms from victims). These are things that require a lot of people and division of labor. But the truth is that the group continues to exist… and this could be a sign that there has been investment in new techniques that evade the protection of different systems,” explains David Russo.

Eastern connections?

Those who closely follow developments on the dark side of the Internet admit that the group can count on members of various nationalities. And the bulletin that the FBI published in March somehow points to a new clue. Analysis of the ransomware source codes used by Ragnar Locker reveals that there are automated instructions to stop any attack on computers located in countries such as Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Tajikistan, Russia, Turkmenistan, Uzbekistan, Ukraine and Georgia.

“I can’t say the Ragnar Locker group is in Russia, but I also can’t put my hands on the fire and say it’s not,” says Valter Santos, coordinator of Bitsight’s cybersecurity research team.

The fact that it automatically protects the countries of the former Soviet Union is not enough to conclude about the origin of the attack, but it serves as a warning for the trend: “There is no sign of cooperation between Ragnar Locker and these countries [que surgem no código-fonte]but, as US President Joe Biden recently said, those who launch these attacks are just as responsible as the governments that allow them to be launched”, adds Vítor Ventura.

Cybersecurity expert Cisco Talos compares ransomware groups’ relationship with some governments to what happened, at the time of Discovery, to private individuals who benefited from the direct or indirect protection of some jurisdictions. The war in Ukraine could also potentiate political interpretations, but Vítor Ventura rejects that path: “For Ragnar Locker, it’s a job; there are no political moves here, although the attacks they carry out can affect companies and economic competition between different countries”.

Two years may not seem like a lot to the police and judges, but it can be like an eternity on the Internet, given the number of tools that allow you to remotely control networks of infected computers without the legitimate owners knowing, exclusively in the purpose of concealing the attack vectors of cybercriminals. The very business logic adopted by these ransomware groups employing hundreds of people ends up making the investigation even more difficult.

“After attacking victims, blackmail follows three factors: encryption of company data and a ransom demand for the return of information; disclosure of data if the ransom is not paid; and in the end there can still be a denial of service attack,” describes Valter Santos.

The BitSight expert also confirms the growing entrepreneurial streak of ransomware groups. And it recalls the revelation that emerged after the break-up of the cybercriminal group known as Conti, which was spread across three offices in Russia, and was organized by engineering and sales departments, as well as different hierarchical levels that pursued specific monthly goals – specifically to covered operating expenses that some experts estimated at $26,000 a month.

“These groups conduct market studies and base redemption requests on the turnover of these companies. Of course, at this moment, they prefer to attack bigger fish”, says Valter Santos.

Ransomware has costs

It’s possible that Ragnar Lockers will have their bills to pay as well. Until the turning point carried out by the Maze group between 2019 and 2020, ransomware groups showed a very democratic streak – and attacks were carried out by sending infected e-mails or messages to a large number of Internet users from various countries and social classes. Even if only 1% of targets clicked on infected links or files of unknown origin, there was always an increased probability of a large number of victims being passed on to sales departments, where they were treated as “customers” until they paid to be rescued.

This strategy would reveal a weakness that is difficult to overcome: it has high operating costs and requires communication with people from different continents who may have either several thousand euros or only half a dozen euros to pay the ransom.

Attacks on TAP and EDP have already been carried out according to the corporate approach. And there is an unimportant detail: “Portugal is becoming an increasingly attractive market because it already has financially capable companies.” [para pagar um resgate]and does not have a very high level of technological literacy”, Vítor Ventura believes.

From Lockbits, who are known for seeking more media coverage, comes a clue that could also help shed light on the fact that some cybercriminal groups have targeted Portugal. In an interview with a member of Lockbit, experts from Cisco Talos learned that these days cybercrime groups prefer to attack in Europe, to the detriment of the US.

The sophistication of American police may justify this advantage, but it is not the only reason. A law requiring U.S. companies to publicly disclose when they are the target of an attack has ultimately reduced some of the impact of data disclosure in the U.S. — but there is another important factor: “The General Data Protection Regulation [e as sanções que aplica às fugas de dados] in the end it functions as a pressure element [para as empresas pagarem o resgate]”, answers Vítor Ventura.

Encryption and professionalism promise to reduce the success rate of investigations that can be conducted. “I’m not saying they won’t be able to break up groups like Ragnar Locker, but it’s a big challenge for the police,” David Russo analyzes.

Except in cases where one of the members exposes the others, only a mistake can lead to the identification and breaking up of Ragnar Locker members, experts say. And even then we have to wait for the suspects to be in countries with extradition treaties. Interestingly, both Valter Santos and Vítor Ventura believe that this last possibility could happen on a day when the money saved encourages cybercriminals to spend their holidays in a place with lots of sun. In both cases there is nothing left to hope for.