On Saturday, 20 August, Greece’s largest natural gas supplier DESFA said it was hit by a cyber-attack that impacted the availability of some of its systems.
The hacking group operating under the name of Ragnar Locker claimed responsibility for the ransomware attack, saying it had published more than 360 GB of data allegedly stolen from DESFA.
Almost two weeks after the attack, security researchers from Cybereason have now released a Threat Analysis Report describing the details of the attack.
“Ragnar Locker is a ransomware that has been in use since at least December 2019 and is generally aimed at English-speaking users,” reads the document. “The Ragnar Locker ransomware has been on the FBI’s radar since the gang breached more than fifty organizations across ten critical infrastructure sectors.”
The Cybereason advisory suggests that the first thing Ragnar Locker performs after infecting a system is to check the infected machine’s locale. If it finds a match with certain countries, including Russia, Ukraine and Belarus, the malware does not execute, and the process is terminated.
Otherwise, the ransomware starts extracting information about the infected machine and attempts to identify the existing file volumes on the host. After the identification phase, Ragnar Locker starts encrypting files and creates a ransom note, which is then displayed to the victim.
Cybereason also says that Ragnar Locker is able to check if specific products are installed, particularly security software like antivirus, virtual-based software, backup solutions and IT remote management solutions, in order to circumvent their defenses and avoid detection.
The attack on DESFA marks the second time a significant pipeline company has been hit by ransomware in recent times, following the Colonial Pipeline attack in May 2021.
More recently, the UK, US and Australian authorities have issued a joint warning aimed at critical national infrastructure (CNI) providers to step up their security efforts amid a surge in ransomware attacks.