A group of cyber extortionists called Ragnar Locker claimed responsibility for the recent cyber-attack against the National Gas System Operator (DESFA) in Greece.
On Saturday, DESFA announced that it had suffered a cyber-attack on part of its IT infrastructure, which resulted in a “confirmed impact on the availability of certain systems and the possible leakage of a number of files and data.”
DESFA is responsible for the operation, management, exploitation, and development of the National Natural Gas System and its interconnections
The statement said that IT services were proactively deactivated to limit any potential spillage and to investigate the incident while ensuring the adequate operation of the national gas supply system at all entry and exit points of the country without any complications.
The FBI has linked the Ragnar Locker group to attacks on at least fifty-two organizations and companies related to critical infrastructure in the US over the last two years.
Ragnar Locker attacks compromised corporate networks
Ragnar Locker ransomware is a recent, pesky form of malware that particularly targets machines operating on Windows. First discovered in late 2019, this ransomware was devised as a way of attacking compromised corporate networks.
Cybercriminals looking to deploy Ragnar Locker ransomware first compromise their target’s network, then attempt to crack weak passwords or employ stolen credentials purchased from the Dark Web.
Throughout this process, the ransomware terminates critical programs which service providers use to manage and protect their clients’ important IT data.
Once in, the attackers inject software into the victim’s machine which grabs sensitive data and uploads it via a network connection to their servers. Just like that, their work is done, and the Ragnar Locker ransomware is in place.
Attackers proceed to let victims know that their files will be released to the public if the specified ransom amount is not paid. This dual-pronged approach to obtaining your valuable data on clients and partners is what’s known as a “double extortion” tactic.
The FBI determined that operators behind Ragnar Locker avoided certain countries, most notably Russia. Prior to Russian law enforcement action earlier this year against another ransomware group, REvil, dark web chatter revealed that actors felt safe operating in Russia.
“If the victim location is identified as ‘Azerbaijani,’ ‘Armenian,’ ‘Belorussian,’ ‘Kazakh,’ ‘Kyrgyz,’ ‘Moldavian,’ ‘Tajik,’ ‘Russian,’ ‘Turkmen,’ ‘Uzbek,’ ‘Ukrainian,’ or ‘Georgian,’ the process terminates,” the FBI said in a recent alert.