Experts warn of more Ragnar Locker attacks, days after group targets airline

The Ragnar Locker ransomware gang is likely to continue targeting critical infrastructure with attacks, according to a new study from researchers at cybersecurity firm Cybereason.

The report comes just days after the group took credit for one such attack — on TAP Air Portugal, the country's largest airline.

Cybereason said the threat level of Ragnar Locker ransomware attacks against critical infrastructure operators is high, noting its most recent attack against Greek gas pipeline DESFA. 

In March, the FBI released its own alert noting that the group was responsible for attacks on at least 52 entities across 10 critical infrastructure sectors, including companies involved in manufacturing, energy, financial services, government, and information technology sectors. 

The Cybereason report explained that the group’s ransomware first checks whether a potential victim is located within the Commonwealth of Independent States — a group of states formerly in the Soviet bloc — and what kind of security software they have on their devices.

If a victim is in Russia, Belarus or other former Soviet countries, it does not deploy. Once the ransomware confirms a victim is outside of those countries, it begins to extract data before encrypting everything and building a ransom note. 

Since 2019, the group has used the double extortion tactic — freezing access to systems and threatening to release stolen data — to extract as much money out of victims.

While the extent of the attack is unclear, TAP Air Portugal confirmed that it was a target, writing on Twitter that it managed to block the attempt. The company denied that any customer data was accessed during the incident.

On Thursday, the company released another message noting that the “website and the app are still registering some instability.”

The Ragnar Locker group posted a lengthy message on its leak site about TAP Air Portugal, claiming it has “hundreds” of GB of stolen data that rivaled the amount of user data stolen during the ransomware attack on EasyJet in 2020. 

The group continued to threaten to leak the data it stole and warned it could face similar lawsuits to the multi-billion dollar class action filing against EasyJet after their attack over the data breach.