Infrastructure companies, which have seen a record rise in ransomware attacks targeting their systems since 2019, have remained the primary targets for the operators behind Ragnar Locker. Earlier this month, the FBI issued a warning that it has detected at least 52 compromised entities across 10 critical infrastructure sectors in the USA alone since the start of the year.

First observed in late 2019, Ragnar Locker is a complex piece of ransomware that was designed to specifically affect devices using Microsoft Windows as their operating system. Where many pieces of malware are almost entirely automated, Ragnar Locker requires manual deployment after its initial insertion on a compromised device. Before enabling the ransomware, attackers first perform reconnaissance and then inject a module to gather potentially sensitive data and upload it to their servers. Once accomplished, they activate the malware which notifies users that their files are locked and will be released to the public unless a ransom is paid.

More recently, analysts have observed that Ragnar Locker and its component parts move to quickly encrypt everything on a target system except for small items on a pre-populated list made in advance. The exceptions are typically files that are critical for basic system operations, such as certain .exe and .dll files in the Windows directories. As such, the device and ransomware are allowed to run continuously. The malware is unfortunately sophisticated, as it has even been detected being deployed on virtual machines inside Oracle systems, with installers as small as 100 kbs.

Infrastructure hasn't been the only target of the operators behind Ragnar Locker. Video game developer Capcom and the Italian liquor maker Campari were also hit by this malware in 2020, along with several European firms and consortiums, showcasing how widespread its targets have been.

When dealing with malware, avoidance is by far the more efficient solution than remediation. In response to the surge of this malware, the FBI has recommended that organisations ensure they have basic initiatives in place, which include having data backups enabled, both locally and in the cloud, as well ensuring all operators use two-factor authentication.

Unfortunately, many organisations are lagging behind in their cybersecurity solutions and responses. Malware such as Ragnar Locker is slipping through the cracks in detection and often going unnoticed by operators.

This effectively highlights the need for greater machine learning modules and capabilities in cybersecurity efforts, as well as the tools and automations/SOAR to make them function efficiently. More automation frees up operator resources and empowers decision makers with better data, faster than an unconnected system often involving dozens, if not hundreds, of related tools.

Considering expanding into SOAR integrations, upgrading existing cybersecurity operations, or designing custom playbooks? Metron is a development partner with leading SOAR platforms and has extensive experience in the automations field. If you are considering any custom cybersecurity solution that focuses on the resources and needs of your organisation, please send a note to