Hackers using Ragnar Locker ransomware pulled off some of the more brazen attacks against high profile targets in recent memory. Generally, this malware is deployed manually after an initial compromise and after some basic network reconnaissance has been carried out. Before initiating the Ragnar Locker ransomware, hackers inject a module capable of collecting sensitive data from victims and upload it to their servers. Next, the hackers notify the victim that the files will be released to the public if their ransom demands are not met.
RagnarLocker Victimizes Major Corporations
Campari, the video game maker company known for its dark red liqueur, was targeted by Ragnar Locker ransomware. According to reports, the attack managed to encrypt data on 24 of the company’s global servers, and the hackers demanded a cryptocurrency ransom worth $15 million. In the ransom note, hackers claimed to have stolen 2 terabytes worth of files from Campari’s servers, including bank statements, employee social security numbers, tax forms, contracts, and passport details. If not paid, the attackers will release the sensitive data to the public or sell it to other hackers. Hackers also shared links to images where screenshots of the stolen data could be seen.
Capcom was also reportedly hit by a Ragnar Locker attack that encrypted 1 terabyte (TB) of sensitive data. The Japanese company is responsible for several multi-million gaming franchises, including Resident Evil, Street Fighter and Darkstalkers. The company detected the cyberattack in November of 2020 and confirmed the hack was due to unauthorized access implemented by a third party, which led to a halt of some operations of its internal networks later in the day.
Text on Screen: “Capcom expressed its deepest regret for any inconvenience this may cause to its various stakeholders,” the company said in a Wednesday advisory on its website. “Further, it stated that at present, there is no indication that any customer information was breached. This incident has not affected connections for playing the company’s games online or access to its various websites.”
RagnarLocker Inspires Copycat Hackers
The Maze ransomware gang has added a new twist to their cyber criminality approach, distributing ransomware payloads via virtual machines. It’s an approach meant to help the hackers get around endpoint defense. The Maze group was recently observed distributing their malware in the form of a VirtualBox virtual disk image or VDI file. The VDI file itself was delivered in a Windows MSI file, a format used for installs and storage and removal of programs. In employing this strategy, Maze hackers take a page from the Ragnar Locker group who used the same technique earlier in 2020.