Ragnar Locker Ransomware has struck against Taiwan-based memory and storage manufacturer ADATA, who were forced to take their systems offline after the attack. The attack occurred in May, and ADATA is still dealing with the fallout. ADATA is a publicly listed Taiwanese memory and storage manufacturer, founded in May 2001 by Simon Chen. Its main product line consists of DRAM modules, USB Flash drives, hard disk drives, solid-state drives, memory cards, and mobile accessories. ADATA is also expanding into new areas, including robotics and electric powertrain systems.
In addition to its main ADATA brand, the company also sells PC gaming hardware and accessories under its XPG (“Xtreme Performance Gear”) brand. In 2017 ADATA was the second-largest DRAM module manufacturer in the world and had a market capitalization of US$680 million. In recent years ADATA has extended its business to Europe and the Americas while competing strongly with Samsung in Asia.
The Ragnar Locker Ransomware infection as initially reported by BleepingComputer in June.
The Taiwanese memory manufacturer took down all impacted systems after detecting the attack and notified all relevant international authorities of the incident to help track down the attackers.
“ADATA was hit by a ransomware attack on May 23rd, 2021,” the company stated in an email.
ADATA’s business operations are no longer disrupted according to the memory maker, with affected devices being restored and services closing regular performance.
“The company successfully suspended the affected systems as soon as the attack was detected, and all following necessary efforts have been made to recover and upgrade the related IT security systems,” ADATA added.
“Gladly things are being moved toward the normal track, and business operations are not disrupted for corresponding contingency practices are effective.
“We are determined to devote ourselves making the system protected than ever, and yes, this will be our endless practice while the company is moving forward to its future growth and achievements.”
ADATA did not confirm what strain of ransomware hit them, but the attack has confirmed and claimed by the Ragnar Locker Ransomware gang afterward.
Ragnar Locker Ransomware claimed they stole 1.5TB of sensitive data from ADATA’s network before deploying the ransomware payloads.
At present, the gang has only posted screenshots of the files they took. They are threatening to leak the files fully if the ransom isn’t paid. According to the screenshots already posted by Ragnar Locker Ransomware on their dark web leak site, the attackers could collect and exfiltrate proprietary business information, confidential files, schematics, financial data, Gitlab and SVN source code, legal documents, employee info, NDAs, and work folders.
Ragnar Locker Ransomware activity was first picked up on in December 2019.
On compromised enterprise endpoints, Ragnar Locker operators terminate remote management software (such as ConnectWise and Kaseya) used by managed service providers (MSPs) to manage clients’ systems remotely.
This allows the attackers to evade detection and ensure that admins logged in remotely do not block the payload deployment process.
The FBI warned private industry partners of increased Ragnar Locker Ransomware activity after an April 2020 attack that impacted the network of multinational energy giant Energias de Portugal (EDP).
Demands from Ragnar Locker Ransomware since its inception range from $200,000 to $600,000.
Ragnar Locker Ransomware Analysis
Note: This analysis was carried out by the Infosec Institute.
Ransomware in this line often disables some services as a way to bypass security protections and also database and backup systems to increase the impact of the attack. Also, database and mail services are stopped so that their data can be encrypted during the infection process.
One of the particularities that spotlight Ragnar Locker is that it is targeting specifically remote management software often used by managed service providers (MSPs), such as the popular ConnectWise and Kaseya software.
This data encryption malware infects computers based on their language settings. When first started, Ragnar Locker checks the configured Windows language preferences. This piece of malware terminates the process if the setting is configured as one of the former USSR countries.
After that, Ragnar Locker will begin the encryption process. When encrypting files, it will skip files in the following folders, file names and extensions.
Ragnar Locker adds the hardcoded extension “.ragnar_” appended to the end of the file name and “” is replaced by a generated and unique ID. All the available files inside physical drives are encrypted and, in the end, the notepad.exe process is opened and showing the ransom note file created on the victim’s system directory.
This ransomware is not equipped with a mechanism to detect whether the computer has already been compromised. A particularity is that if the malware reaches the same device more than once, it will encrypt the device over and over again. This can be seen below where Ragnar Locker Ransomware encrypts the files three times in a row.