{ "id": "c157c449-ca68-4b47-a1aa-bb9819403242", "created_at": "2026-04-06T00:13:23.210054Z", "updated_at": "2026-04-10T03:21:33.552525Z", "deleted_at": null, "sha1_hash": "d0d1858d416e47b7eb8fd2778341be5c2419b7ad", "title": "FBI Warns of Uptick in Ragnar Locker Ransomware Activity", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 166851, "plain_text": "FBI Warns of Uptick in Ragnar Locker Ransomware Activity\r\nBy Prajeet Nair\r\nArchived: 2026-04-05 19:26:37 UTC\r\nBusiness Continuity Management / Disaster Recovery , Fraud Management \u0026 Cybercrime , Governance \u0026 Risk\r\nManagement\r\nBureau Says the Attacks Are Hitting Many Sectors (@prajeetspeaks) • November 25, 2020    \r\nA screenshot of the FBI alert\r\nThe FBI has sent out a private industry alert warning about an increase in attacks using Ragnar Locker\r\nransomware.\r\nSee Also: Reduce Cloud Risk in Healthcare with Security by Default\r\nResearchers first spotted Ragnar Locker in 2019. The FBI alert notes that its cyber division has been closely\r\nmonitoring the malware since April, when its operators encrypted a large corporation's files and demanded an $11\r\nmillion ransom to avoid release of 10 terabytes of sensitive company data.\r\n\"Since then, Ragnar Locker has been deployed against an increasing list of victims, including cloud service\r\nproviders, communication, construction, travel and enterprise software companies,\" according to the alert.\r\nRecent Attacks\r\nRagnar Locker has been linked to other high-profile security incidents over the last several months, including\r\nattacks targeting Energias de Portugal, or EDP, an energy company; Campari, an Italian liquor company; and\r\nhttps://www.bankinfosecurity.com/fbi-warns-uptick-in-ragnar-locker-ransomware-activity-a-15454\r\nPage 1 of 3\n\nCapcom, a Japanese gaming firm (see: Gaming Company Confirms Ragnar Locker Ransomware Attack).\r\nRagnar Locker is one of several ransomware variants used to not only encrypt files of victims but also to exfiltrate\r\ndata. Once this information is stolen, cybercriminals threaten to release the information as a way to make victims\r\npay a ransom. Earlier his month, the Ragnar Locker gang hacked into a Facebook account and posted an ad about\r\nthe Campari attack to pressure that company into paying (see: Ransomware Gang Devises Innovative Extortion\r\nTactic).\r\nBrett Callow, a threat analyst with the security firm Emsisoft, says the operators behind Ragnar Locker want to\r\nembarrass companies as much as possible to force them to pay a ransom and to serve as a warning to future\r\nvictims.\r\n\"The group recently added an interesting element to their extortion attempts: namely, using compromised\r\nFacebook accounts to run ad campaigns in an effort to apply further pressure to their victims,” Callow says.\r\n“While novel, the development was not particularly surprising. Other groups have put up press releases and\r\ncontacted reporters directly, so an ad campaign was a logical progression.”\r\nUnderstanding Ragnar Locker\r\nIn an April report, Microsoft noted that Ragnar Locker is one of four strains of ransomware - also including Maze,\r\nRobbinHood and Vatet - that regularly get dropped onto systems after attackers gain remote access using stolen or\r\nbrute-forced Remote Desktop Protocol credentials (see: 10 Ransomware Strains Being Used in Advanced Attacks).\r\nThe FBI alert also notes that the operators behind Ragnar Locker use numerous obfuscation techniques to avoid\r\ndetection by security tools.\r\nOnce planted inside a network, the ransomware conducts reconnaissance of the infrastructure, according to the\r\nFBI.\r\n\"Ragnar Locker encrypts all available files of interest,\" according to the FBI alert. \"Instead of choosing which\r\nfiles to encrypt, Ragnar Locker chooses which folders it will not encrypt. Taking this approach allows the\r\ncomputer to continue to operate 'normally' while the malware encrypts files with known and unknown extensions\r\ncontaining data of value to the victim.\"\r\nThe FBI alert notes that Ragnar Locker uses several types of custom-packing algorithms to encrypt the data and\r\nencrypts the targeted files using a Windows XP virtual machine that it deploys through the victim's network (see:\r\nRagnarLocker Deploys a Virtual Machine to Hide Ransomware).\r\nThe ransomware also looks to kill other malware that might be operating within the same network at the same\r\ntime, according to the alert. It also \"checks for current infections to prevent multiple encryption transforms of the\r\ndata, potentially corrupting it. The binary gathers the unique machine [Globally Unique Identifier], operating\r\nsystem product name and user name currently running the process.\"\r\nThe alert also notes that, if Ragnar Locker infects devices in certain countries, such as Russia or Ukraine, it\r\nterminates without encrypting files.\r\nhttps://www.bankinfosecurity.com/fbi-warns-uptick-in-ragnar-locker-ransomware-activity-a-15454\r\nPage 2 of 3\n\nVictims typically receive a plain-text note identifying Ragnar Locker as the attacker and providing instructions for\r\nhow to pay the ransom and contact the attackers, the FBI adds.\r\nSource: https://www.bankinfosecurity.com/fbi-warns-uptick-in-ragnar-locker-ransomware-activity-a-15454\r\nhttps://www.bankinfosecurity.com/fbi-warns-uptick-in-ragnar-locker-ransomware-activity-a-15454\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bankinfosecurity.com/fbi-warns-uptick-in-ragnar-locker-ransomware-activity-a-15454" ], "report_names": [ "fbi-warns-uptick-in-ragnar-locker-ransomware-activity-a-15454" ], "threat_actors": [], "ts_created_at": 1775434403, "ts_updated_at": 1775791293, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d0d1858d416e47b7eb8fd2778341be5c2419b7ad.pdf", "text": "https://archive.orkl.eu/d0d1858d416e47b7eb8fd2778341be5c2419b7ad.txt", "img": "https://archive.orkl.eu/d0d1858d416e47b7eb8fd2778341be5c2419b7ad.jpg" } }