RagnarLocker Ransomware Gang Attacks Groupe Fructa Partner

The RagnarLocker ransomware gang has attacked Groupe Fructa Partner. Groupe Fructa Partner is a French food and beverage company. RagnarLocker posted Groupe Fructa Partner to its data leak site on October 3rd but provided no further details.

RagnarLocker's Modus Operandi

RagnarLocker is not a traditional RaaS. They first emerged in December of 2019 and were assessed to be related to or working in cooperation with Maze and MountLocker operators. RagnarLocker typically compromises victim networks through vulnerable Remote Desktop Protocol (RDP) software, a common ransomware technique. RagnarLocker was increasingly active in 2022, but attack volume has dripped off significantly in Q1-2023.

Ransom Demands and Techniques

RagnarLocker ransom demands vary and have been observed to exceed $10 million. RagnarLocker has both Windows and Linux versions that actively detect and bypass security tools on the targeted network, as well as scanning for virtual-based machines, and any remote management solutions. IT encrypts with a custom Salsa20 algorithm and has been observed terminating services that managed service providers (MSPs) to remotely protect and manage customer networks.

Targeting and Extortion Strategies

RagnarLocker is opportunistic and is assessed to target based on a victim’s ability to pay large ransom demands, focusing on the manufacturing, energy, financial services, government, and information technology sectors. RagnarLocker engages in data exfiltration for double extortion and maintains a leaks site called “Wall of Shame.” RagnarLocker will delete VSS Shadow Copies to thwart encryption rollback.