{ "id": "a83290b8-8cf2-454b-b5a3-1d663c96698e", "created_at": "2026-04-06T00:14:55.36587Z", "updated_at": "2026-04-10T03:32:24.814141Z", "deleted_at": null, "sha1_hash": "17af79a3dd08c271ff6f649673f09eb19c019b15", "title": "FBI: Ransomware gang breached 52 US critical infrastructure orgs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 799433, "plain_text": "FBI: Ransomware gang breached 52 US critical infrastructure orgs\r\nBy Sergiu Gatlan\r\nPublished: 2022-03-07 · Archived: 2026-04-02 11:26:42 UTC\r\nThe US Federal Bureau of Investigation (FBI) says the Ragnar Locker ransomware gang has breached the networks of at\r\nleast 52 organizations from multiple US critical infrastructure sectors.\r\nThis was revealed in a joint TLP:WHITE flash alert published on Monday in coordination with the Cybersecurity and\r\nInfrastructure Security Agency.\r\n\"As of January 2022, the FBI has identified at least 52 entities across 10 critical infrastructure sectors affected by\r\nRagnarLocker ransomware, including entities in the critical manufacturing, energy, financial services, government, and\r\ninformation technology sectors,\" the federal law enforcement agency said [PDF].\r\nhttps://www.bleepingcomputer.com/news/security/fbi-ransomware-gang-breached-52-us-critical-infrastructure-orgs/\r\nPage 1 of 4\n\nhttps://www.bleepingcomputer.com/news/security/fbi-ransomware-gang-breached-52-us-critical-infrastructure-orgs/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\n\"RagnarLocker ransomware actors work as part of a ransomware family, frequently changing obfuscation techniques to\r\navoid detection and prevention.\"\r\nThe flash alert focuses on providing indicators of compromise (IOCs) organizations can use to detect and block Ragnar\r\nLocker ransomware attacks.\r\nIOCs associated with Ragnar Locker activity include info on attack infrastructure, Bitcoin addresses used to collect ransom\r\ndemands, and email addresses used by the gang's operators.\r\nAlthough the FBI first became aware of Ragnar Locker in April 2020, Ragnar Locker ransomware payloads were first\r\nobserved in attacks months before, during late December 2019.\r\nRagnar Locker operators terminate remote management software (e.g., ConnectWise, Kaseya) used by managed service\r\nproviders (MSPs) to manage clients' systems remotely on compromised enterprise endpoints.\r\nThis allows the threat actors to evade detection and make sure remotely logged-in admins do not interfere with or block the\r\nransomware deployment process.\r\nRequest for info linked to Ragnar Locker attacks\r\nThe FBI asked admins and security professionals who detect Ragnar Locker activity to share any related information with\r\ntheir local FBI Cyber Squad.\r\nUseful info that would help identify the threat actors behind this ransomware gang includes copies of the ransom notes,\r\nransom demands, malicious activity timelines, payload samples, and more.\r\nThe FBI added that it doesn't encourage paying Ragnar Locker ransoms since victims have no guarantee that paying will\r\nprevent leaks of stolen data or future attacks.\r\nInstead, ransom payments will further motivate the ransomware gang to target even more victims and incentivizes other\r\ncybercrime operations to join in and launch their own ransomware attacks.\r\nHowever, the federal agency did recognize the damage inflicted to businesses by ransomware attacks, which may force\r\nexecutives to pay ransoms and protect shareholders, customers, or employees.\r\nThe FBI also shared mitigation measures to block such attacks and strongly urged victims to report such incidents to their\r\nlocal FBI field office.\r\nSince December, the FBI also revealed that Cuba ransomware compromised the networks of at least 49 US critical\r\ninfrastructure entities, while the BlackByte ransomware gang hit at least three others.\r\nhttps://www.bleepingcomputer.com/news/security/fbi-ransomware-gang-breached-52-us-critical-infrastructure-orgs/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/fbi-ransomware-gang-breached-52-us-critical-infrastructure-orgs/\r\nhttps://www.bleepingcomputer.com/news/security/fbi-ransomware-gang-breached-52-us-critical-infrastructure-orgs/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.bleepingcomputer.com/news/security/fbi-ransomware-gang-breached-52-us-critical-infrastructure-orgs/" ], "report_names": [ "fbi-ransomware-gang-breached-52-us-critical-infrastructure-orgs" ], "threat_actors": [ { "id": "4e453d66-9ecd-47d9-b63a-32fa5450f071", "created_at": "2024-06-19T02:03:08.077075Z", "updated_at": "2026-04-10T02:00:03.830523Z", "deleted_at": null, "main_name": "GOLD LOTUS", "aliases": [ "BlackByte", "Hecamede " ], "source_name": "Secureworks:GOLD LOTUS", "tools": [ "BlackByte", "Cobalt Strike", "ExByte", "Mega", "RDP", "SoftPerfect Network Scanner" ], "source_id": "Secureworks", "reports": null }, { "id": "4e7fd07d-fcc5-459b-b678-45a7d9cda751", "created_at": "2025-04-23T02:00:55.174827Z", "updated_at": "2026-04-10T02:00:05.353712Z", "deleted_at": null, "main_name": "BlackByte", "aliases": [ "BlackByte", "Hecamede" ], "source_name": "MITRE:BlackByte", "tools": [ "AdFind", "BlackByte Ransomware", "Exbyte", "Arp", "BlackByte 2.0 Ransomware", "PsExec", "Cobalt Strike", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434495, "ts_updated_at": 1775791944, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/17af79a3dd08c271ff6f649673f09eb19c019b15.pdf", "text": "https://archive.orkl.eu/17af79a3dd08c271ff6f649673f09eb19c019b15.txt", "img": "https://archive.orkl.eu/17af79a3dd08c271ff6f649673f09eb19c019b15.jpg" } }