DESFA, Greece’s largest natural gas supplier, said, on Saturday 20th August, that it was hit by a cyberattack that impacted the availability of some of its systems.
Ragnar Locker, a hacking group, claimed responsibility for the ransomware attack. They added that they had allegedly published more than 350 GB of data stolen from the DESFA.
Security researchers from Cybereason have written a report describing details of the attack
The Threat Analysis Report report says: “Ragnar Locker is a ransomware that has been in use since at least December 2019 and is generally aimed at English-speaking users. The Ragnar Locker ransomware has been on the FBI’s radar since the gang breached more than fifty organizations across ten critical infrastructure sectors.”
The advisory suggests that the first thing Ragnar Locker performs after infecting a system is to check the machine’s locale. Should the device find a match with certain countries, including Ukraine, Russia and Belarus, the malware does not execute and the process is terminated.
The report says: “Ragnar Locker avoids being executed from countries since the group is located in the Commonwealth of Independent States (CIS).”
If a match is not found, the ransomware starts extracting information about the infected machine and attempts to identify the existing file volumes on the host. Once the identification phase is complete, Ragnar Locker starts encrypting files and a ransom note is displayed to victims.
Cybereason adds that Ragnar Locker is able to check if specific products are installed, particularly virtual-based software, security software like antivirus, IT remote management solutions, and backup solutions. This is to circumvent their defences and avoid detection.
DESFA suffered another ransomware attack in May 2021, when Colonial Pipeline suffered an attack.
In recent times critical national infrastructure (CNI) providers have been asked to step up their security efforts by the UK, US and Australian governments. This is due to a surge in ransomware attacks.