A cyber-ransomware group that FBI links the past two years to electronic strikes on 52 organizations and companies associated with critical infrastructure in USAreportedly claimed responsibility for a recent cyberattack on the national operator of the natural gas system in Greece.

August 20 DESFA announced that part of its IT infrastructure had been cyberattacked by “cybercriminals trying to gain illegal access to electronic files, which confirmed the impact on the availability of certain systems and the possible leakage of files and data.” According to the same announcement, IT services were deactivated as a precautionary measure, while adequate and uninterrupted operation of the national gas supply system at all entrances and exits of the country was reportedly ensured without problems.

The Ragnar Locker team with their messages in the dark Internet, The company is reportedly claiming responsibility for the cyberattack. At the same time, she posted screenshots from various DESFA files that she allegedly has. One of them, brought to the attention of “K”, has the logo of a specific hacker group on the watermark and appears to be an excerpt from the draft budget marked “private and confidential”.

In March 2022, the FBI released a report on this particular group of cyber-ransomware. In April 2020, U.S. federal authorities first became aware of Ragnar Locker malware and variants, which are being used to encrypt and hold digital files of their targets hostage. By January 2022, the FBI had identified at least 52 victims in the US. These were organizations and companies of critical infrastructure, including those related to energy and construction.

They tell DESFA that so far none of his files have been blocked and no ransom demands have been known.

In the case of DESFA, it is not yet clear when exactly the hackers managed to break into electronic systems and what vulnerability they used. In the past, in other attacks, they have launched an electronic “brute-force attack,” a technique that involves exhaustive testing of potential encryption keys to crack a password.

According to an FBI report, attackers using this malware locate the terminals they infect and if they find their target is in Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Tajikistan, Russia, Turkmenistan, Uzbekistan, Ukraine, or Georgia, disable malware. Perhaps this explains the possible origin of cybercriminals.

Typically, those behind the use of Ragnar Locker leave their victim a ransom note in .txt format with instructions on how to pay them in some sort of cryptocurrency to decrypt their data. However, according to K’s information, so far DESFA reports that none of its files have been blocked and no ransom demand has been reported.

In its official statement, DESFA emphasizes that it “remains steadfast in its position not to engage in dialogue with cybercriminals.” The Administrator notes that they are working with experts from Greece and abroad and that the relevant authorities have been informed of the cyber attack, including the Cybercrime Prosecutor’s Office and the National Defense General Staff.

In September 2021, the cybercriminals behind the use of Ragnar Locker threatened to reveal intercepted data if their victims contacted the FBI or professional negotiators.

Other purposes

In November 2020, the cybercriminals behind Ragnar Loker attacked the Japanese video game company Capcom (which created popular video games Street Fighter and Resident Evil, among others) with ransomware, claiming to have stolen a terabyte of sensitive data from the company’s networks in USA. , Japan and Canada. The same group is credited with cyber attacks on the Portuguese energy group EDP, as well as at the expense of the French container company CMA CGM. Leaked files that have been accessed are increasingly being used by cyber-ransomware groups as an additional measure of pressure to force victims to comply with their demands. Similar tactics were followed by the perpetrators of the cyber attack on the municipality of Thessaloniki in the summer of 2021, publishing documents on the Internet. It was then said that a group called Grief was behind this cyberattack.