Throughout 2023, several organizations were successfully hit by Ragnar Locker cyberattacks. The affected victims spanned the globe and were forced to shut down much of their critical operations, while the attackers demanded tens of millions of dollars in ransom payments. Despite the <\/span>group being taken down by law enforcement<\/span><\/a> in October, organizations are re-evaluating their defensive measures \u2014 and more importantly, their recovery strategies \u2014 to combat these attacks.<\/span><\/p>\n If you read my previous articles about the <\/span>ongoing MOVEit breach<\/span><\/a> and the <\/span>ransomware that hit MGM<\/span><\/a>, you probably know that isolation is key. It helps you fight through attacks by <\/span>cutting the kill chain<\/span><\/a>, so that you can restore services quickly without reinfection.<\/span><\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”3_5,2_5″ _builder_version=”4.17.6″ _module_preset=”default” width=”100%” global_colors_info=”{}”][et_pb_column type=”3_5″ _builder_version=”4.17.6″ _module_preset=”default” global_colors_info=”{}”][et_pb_text admin_label=”Text” _builder_version=”4.23″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n Recent Ragnar Locker cyberattacks were carried out by the Dark Angels Team cybercriminal group. Dark Angels Team\u2019s modus operandi is to breach a company\u2019s defenses, spread laterally, and steal data that can be used to extort the target company. The approach they take involves gaining access to the Windows domain controller, where they deploy ransomware. They encrypt devices using Windows and ESXi encryptors, which gives organizations little recourse aside from taking their critical systems offline in order to stop the spread.<\/span><\/p>\n [\/et_pb_text][\/et_pb_column][et_pb_column type=”2_5″ _builder_version=”4.17.6″ _module_preset=”default” global_colors_info=”{}”][et_pb_image src=”https:\/\/zpesystems.com\/wp-content\/uploads\/2023\/11\/Dark-Angels-banner.webp” alt=”Dark Angels banner” title_text=”Dark Angels banner” _builder_version=”4.23″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.17.6″ _module_preset=”default” width=”100%” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.17.6″ _module_preset=”default” global_colors_info=”{}”][et_pb_text admin_label=”Text” _builder_version=”4.23″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n Ragnar Locker breaches, like all ransomware attacks, require a kill chain that must first be initiated. <\/span>MITRE ATT&CK<\/span><\/a> defines this as the \u2018initial,\u2019 and in these attacks, the initial comes from social engineering. Email stuffing is often the tactic of choice, whereby the attacker sends an email that appears to have a trail of replies or forwards (see the example below). Email trails like this trick spam filters and land directly in the target\u2019s inbox. When an employee clicks a malicious link inside the email, the attack kicks off.<\/span><\/p>\n Image: Email stuffing is used by marketers and threat actors alike to bypass spam filters.<\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.17.6″ _module_preset=”default” width=”100%” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.17.6″ _module_preset=”default” global_colors_info=”{}”][et_pb_text admin_label=”Text” _builder_version=”4.23″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n After the Ragnar Locker cyberattack kicks off, the bad link uses Java to load the locker ransomware, then a series of batch scripts installs a payload consisting of virtual box emulation software. This emulation software takes over and encrypts the host, and displays the ransomware message (see image below).<\/span><\/p>\n Image: A Ragnar Locker ransomware message showing on encrypted devices.<\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.17.6″ _module_preset=”default” width=”100%” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.17.6″ _module_preset=”default” global_colors_info=”{}”][et_pb_text admin_label=”Text” _builder_version=”4.23″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n The attack spreads by gaining access to Windows domain controllers and then attacking the management interfaces of the VMware ESXi machines. Most organizations don\u2019t properly segment or isolate these management interfaces. This makes them especially vulnerable even to older Babuk ransomware source code that is an ESXi encryptor. Basically, the attackers only need to gain access to the management network, and then they can attack the production network.<\/span><\/p>\n From Intel471: \u201cVMware\u2019s ESXi is called a \u2018<\/span>bare metal<\/span><\/a>\u2019 hypervisor because the underlying hardware on which it is installed doesn\u2019t need an operating system. ESXi allows the hardware to be utilized for multiple virtual machines (VMs), which saves on hardware costs. ESXi is a fruitful target for attackers since it may be connected to several VMs and the storage for them. Security experts<\/span> warn<\/span><\/a> ransomware actors have built specific binaries to target these systems. Groups joining this trend include HelloKitty, Black Basta, Cheerscrypt and GwisinLocker.\u201d<\/span><\/p>\n They continue, \u201cOver the last few years, several vulnerabilities have been identified in ESXi, including<\/span> CVE-2021-21974<\/span><\/a>. The vulnerability is a heap overflow vulnerability within<\/span> Open Service Location Protocol<\/span><\/a> (OpenSLP), which is a network discovery tool. The vulnerability is remotely exploitable over port 427, and has a Common Vulnerability Scoring System Version 3.0 (CVSSv3) base score of<\/span> 8.8<\/span><\/a>. It\u2019s suspected that it may be the vulnerability exploited in this attack.<\/span> VMware said<\/span><\/a> that \u201csignificantly out-of-date products\u201d were targeted with vulnerabilities that had been addressed. It affects ESXi versions 7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG and 6.5 before ESXi650-202102101-SG. Due to<\/span> other vulnerabilities<\/span><\/a> in OpenSLP, VMware disabled OpenSLP starting in 2021 in ESXi versions 7.0 U2c and ESXi 8.0, which is the current version.\u201d<\/span><\/p>\n Ultimately, these attacks exploit a combination of a lack of management plane isolation to the VMware management interfaces, specifically on port 427 (OpenSLP), and a lack of patching and updating. Organizations also typically lack a backup authentication mechanism for the control plane, as well as Privileged Access Management, which are both good fallback options.<\/span><\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.17.6″ _module_preset=”default” width=”100%” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.17.6″ _module_preset=”default” global_colors_info=”{}”][et_pb_text admin_label=”Text” _builder_version=”4.23″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n Ragnar Locker ransomware and other attacks are successful because companies don\u2019t employ proper management plane isolation. Attackers can gain access to VMware management interfaces, and then they essentially have the keys to the kingdom. That\u2019s it. No amount of defense can save you.<\/span><\/p>\n If you recall <\/span>CISA\u2019s binding operational directive<\/span><\/a>, they call for an isolated management infrastructure. This is what we refer to as IMI. Rather than serving as a defense, like we think of traditional cybersecurity products, the IMI is an architecture that allows you to fight back. It\u2019s your quick-reaction force, your cavalry, your secret weapon that ensures you always have a counterattack ready to deploy.<\/span><\/p>\n IMI is infrastructure that is dedicated \u2014 and most importantly, fully isolated from production assets \u2014\u00a0to ensuring operations can recover quickly from breaches and outages. Here\u2019s a graphical breakdown:<\/span><\/p>\n The IMI includes all of the tools you need for rerouting traffic, decommissioning affected gear, wiping\/re-imaging devices, and restoring infrastructure. You can also incorporate automation to speed the process along and make recovery something that happens in minutes or hours at the most. Aside from being completely isolated from production assets, the IMI itself is also segmented and employs zero trust practices. This means that you and only you have access to your secret weapon for cutting the ransomware kill chain.<\/span><\/p>\n An IMI can host an <\/span>IRE (Isolated Recovery Environment)<\/span><\/a>, which is used to cut off all user data and remote access (except for <\/span>OOB<\/span><\/a>) to an entire infected site. A properly implemented recovery environment should automate most of these activities to speed up the recovery. One of the first considerations is the requirement for a secondary organization in your IAM that is not attached to normal operations. This is what is known as a set of \u201c<\/span>Break the Glass<\/span><\/a>\u201d accounts. These are known in military circles but have made it into formal practice as part of a strong playbook for ransomware. Once you do this, you can instantiate selected Zero Trust remote access to the site using credentials that are not in the scope of the attack, and then bring up a communications channel for a virtual war room using software like Rocket Chat, Jitsi, Slack, or other standalone communications tools that are installable on the IRE environment.<\/span>\u00a0<\/span><\/p>\n Avoiding normal authentication methods or IAM and normal communication channels is required for the integrity of the recovery and strengthens the recovery playbook. During this time, no email may be used that is associated directly with the organization. Ideally, email should never touch an account that is associated with it either.<\/span><\/p>\n The next step is to create a new set of clean side networks that do not directly connect to the main backbone or put it behind another firewall for triage good\/bad. Using a sniffer software running on the IRE, the recovery team can then run a passive scan or an active scanner against all machines continuing to try to send email to Exchange\/M365. You can give access to people that are deemed good (not sending traffic) but lock off (with an EDR) the ability to open Outlook for a while, while keeping them on the web email. From there, continue working through to find all the sending drivers to see if they have a good backup. If not, back up the infected drive for offline data retrieval for later. Then re-image while scanning the UEFI BIOS during boot (if needed, run an IPMI scan). If the site has a list of assets that are considered crown jewels, prioritize these.<\/span><\/p>\n Once you have a segmented \u201cclean side\u201d established with all the network services required to operate the site (DNS, IAM, DHCP), then Internet access can be restored to this site on a limited basis; which means only out-bound communications, nothing in-bound. Restorative operations can continue apace. making sure that the infected side assets are captured in backup for later forensics following chain-of-custody if damages exceeding insurance limits are found to be the case. This is decided in the war room.<\/span><\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.17.6″ _module_preset=”default” width=”100%” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.17.6″ _module_preset=”default” global_colors_info=”{}”][et_pb_text admin_label=”Text” _builder_version=”4.23″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n Now is the time to lay the groundwork for your IMI so you can fight back against ransomware. Download the Network Automation Blueprint, which gives you a step-by-step guide to building your Isolated Management Infrastructure.<\/span><\/p>\n [\/et_pb_text][et_pb_button button_url=”https:\/\/zpesystems.com\/network-automation-blueprint\/” button_text=”Download blueprint” _builder_version=”4.21.0″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_button][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.17.6″ _module_preset=”default” width=”100%” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.17.6″ _module_preset=”default” global_colors_info=”{}”][et_pb_text admin_label=”Text” _builder_version=”4.23.1″ _module_preset=”default” hover_enabled=”0″ global_colors_info=”{}” sticky_enabled=”0″]<\/p>\n True security can only be achieved through resilience, and that’s my mission. If you want help shoring up your defenses, building an IMI, and implementing a Resilience System, get in touch with me. Here are links to my social media accounts:<\/span><\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":" Many organizations suffered Ragnar Locker cyberattacks in 2023. 30-year cybersecurity expert James Cabe discusses the problem and solution.<\/p>\n","protected":false},"author":5,"featured_media":38110,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","content-type":"","footnotes":""},"categories":[103,156,101,93,82,162,97,134],"tags":[],"class_list":["post-38089","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-improve-network-security","category-micro-segmentation","category-minimize-impact-of-disruptions","category-network-automation","category-out-of-band-management","category-secops","category-user-management","category-zero-trust-security"],"yoast_head":"\nWho Carries Out Ragnar Locker Cyberattacks?<\/h1>\n
How Do Ragnar Locker Cyberattacks Start?<\/h1>\n
![\"An](\"https:\/\/zpesystems.com\/wp-content\/uploads\/2023\/11\/Email-stuffing-example-from-marketer.png\")
<\/p>\nHow Do Companies Discover Ragnar Locker Cyberattacks?<\/h1>\n
![\"A](\"https:\/\/zpesystems.com\/wp-content\/uploads\/2023\/11\/Ragnar-Locker-ransomware-message.jpg\")
<\/p>\nHow Do Ragnar Locker Cyberattacks Spread?<\/h1>\n
How Can Companies Stop Ragnar Locker Cyberattacks?<\/h1>\n
![\"Isolated](\"https:\/\/zpesystems.com\/wp-content\/uploads\/2023\/07\/Isolated-Management-Network-Diagram-1024x576.png\")
<\/p>\nHow Do You Use Isolated Management Infrastructure?<\/h1>\n
Download the Isolated Management Infrastructure Blueprint<\/h2>\n
Get in touch with me!<\/h2>\n
\n