{ "id": "2101a71c-8665-4ebd-9e70-221c1504c384", "created_at": "2026-04-06T00:12:43.356445Z", "updated_at": "2026-04-10T13:11:25.052042Z", "deleted_at": null, "sha1_hash": "771a63e4c8e16b96b884439e94dcef95f9d12d1b", "title": "Ragnar ransomware gang hit 52 critical US orgs, says FBI", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 41233, "plain_text": "Ragnar ransomware gang hit 52 critical US orgs, says FBI\r\nBy Jessica Lyons\r\nPublished: 2022-03-09 · Archived: 2026-04-02 12:35:57 UTC\r\nThe Ragnar Locker ransomware gang has so far infected at least 52 critical infrastructure organizations in America\r\nacross sectors including manufacturing, energy, financial services, government, and information technology,\r\naccording to an FBI alert this week.\r\nThe Feds said [PDF] they became aware in early 2020 of the ransomware crew and its preferred tactic: double\r\nextortion. The crooks steal sensitive data, encrypt a victim's systems, and threaten to leak the stolen documents if\r\nthe ransom to restore the files isn't paid.\r\nTo date, the Ragnar Locker criminals have posted stolen data from at least ten organizations on their publicity\r\nwebsite, according to Acronis. As of January, the gang has hit entities across nearly a dozen critical sectors,\r\naccording to the FBI flash alert, which provided technical details about how the ransomware attacks work:\r\nThe Ragnar Locker malware uses Windows API GetLocaleInfoW to identify the infected machine's location. If the\r\nvictim's locale is one of a dozen European and Asian countries, including Russia and Ukraine, the infection\r\nprocess terminates.\r\nAs the ransomware is deployed, it kills services commonly used by managed service providers to remotely control\r\nnetworks and attempts to silently delete all shadow copies of documents so that users can't recover encrypted files.\r\nAnd finally, Ragnar Locker encrypts organizations' data. But instead of choosing which files to encrypt, it selects\r\nfolders not to encrypt. \"Taking this approach allows the computer to continue to operate 'normally' while the\r\nmalware encrypts files with known and unknown extensions containing data of value to the victim,\" the FBI\r\nexplained.\r\nLapsus$ extortionists dump Samsung data online, chaebol confirms security breach\r\nConti ransomware gang's source code leaked\r\nSecond data-wiping malware found in Ukraine, says ESET\r\nInsurance giant Aon confirms it has suffered 'cyber incident'\r\nFor example, if the logical drive being processed is the C: drive, the malware does not encrypt files in folders\r\nnames Windows, Windows.old, Mozilla, Mozilla Firefox, Tor browser, Internet Explorer, $Recycle.Bin, Program\r\nData, Google, Opera, or Opera Software.\r\nThe FBI urged victims to report ransomware attacks to their local field office. And while it \"does not encourage\r\npaying a ransom to criminal actors,\" it acknowledged that this can be a tricky business decision. Executives should\r\n\"evaluate all options to protect their shareholders, employees, and customers,\" before deciding whether to pay, it\r\nadded. ®\r\nhttps://www.theregister.com/2022/03/09/fbi_says_ragnar_locker_ransomware/\r\nPage 1 of 2\n\nSource: https://www.theregister.com/2022/03/09/fbi_says_ragnar_locker_ransomware/\r\nhttps://www.theregister.com/2022/03/09/fbi_says_ragnar_locker_ransomware/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.theregister.com/2022/03/09/fbi_says_ragnar_locker_ransomware/" ], "report_names": [ "fbi_says_ragnar_locker_ransomware" ], "threat_actors": [ { "id": "be5097b2-a70f-490f-8c06-250773692fae", "created_at": "2022-10-27T08:27:13.22631Z", "updated_at": "2026-04-10T02:00:05.311385Z", "deleted_at": null, "main_name": "LAPSUS$", "aliases": [ "LAPSUS$", "DEV-0537", "Strawberry Tempest" ], "source_name": "MITRE:LAPSUS$", "tools": [ "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d4b9608d-af69-43bc-a08a-38167ac6306a", "created_at": "2023-01-06T13:46:39.335061Z", "updated_at": "2026-04-10T02:00:03.291149Z", "deleted_at": null, "main_name": "LAPSUS", "aliases": [ "Lapsus", "LAPSUS$", "DEV-0537", "SLIPPY SPIDER", "Strawberry Tempest", "UNC3661" ], "source_name": "MISPGALAXY:LAPSUS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2347282d-6b88-4fbe-b816-16b156c285ac", "created_at": "2024-06-19T02:03:08.099397Z", "updated_at": "2026-04-10T02:00:03.663831Z", "deleted_at": null, "main_name": "GOLD RAINFOREST", "aliases": [ "Lapsus$", "Slippy Spider ", "Strawberry Tempest " ], "source_name": "Secureworks:GOLD RAINFOREST", "tools": [ "Mimikatz" ], "source_id": "Secureworks", "reports": null }, { "id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b", "created_at": "2022-10-25T16:07:24.503878Z", "updated_at": "2026-04-10T02:00:05.014316Z", "deleted_at": null, "main_name": "Lapsus$", "aliases": [ "DEV-0537", "G1004", "Slippy Spider", "Strawberry Tempest" ], "source_name": "ETDA:Lapsus$", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434363, "ts_updated_at": 1775826685, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/771a63e4c8e16b96b884439e94dcef95f9d12d1b.pdf", "text": "https://archive.orkl.eu/771a63e4c8e16b96b884439e94dcef95f9d12d1b.txt", "img": "https://archive.orkl.eu/771a63e4c8e16b96b884439e94dcef95f9d12d1b.jpg" } }