{"id":7425,"date":"2021-10-21T15:30:42","date_gmt":"2021-10-21T22:30:42","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7425"},"modified":"2023-04-20T02:24:46","modified_gmt":"2023-04-20T09:24:46","slug":"ragnar-locker-ransomware-hits-customer-care-giant-ttec","status":"publish","type":"post","link":"https:\/\/10.42.32.162\/articles\/ragnar-locker-ransomware-hits-customer-care-giant-ttec\/","title":{"rendered":"Ragnar Locker Ransomware Hits Customer Care Giant TTEC"},"content":{"rendered":"<p style=\"text-align: justify;\"><strong>On September 14, 2021, TTEC sent an <a href=\"https:\/\/krebsonsecurity.com\/2021\/09\/customer-care-giant-ttec-hit-by-ransomware\/\" target=\"_blank\" rel=\"noopener\">internal message<\/a> to its employees about a widespread system outage that began on September 12. Later that evening, TTEC confirmed that the outage was a ransomware attack by the notorious Ragnar Locker group. The TTEC administration also shared a screen-grab of the notice to its employees.<\/strong><\/p>\n<p style=\"text-align: justify;\"><img decoding=\"async\" class=\"aligncenter\" style=\"height: 175px; width: 300px;\" src=\"https:\/\/lh4.googleusercontent.com\/eHB3Nu_4lIjFuejjBXEZ8Rx_478Q5B-z4V-XqxaJHHvdXTsx8tOQmR_DScleC3ZweF68t-5WOKCoPS9nztrEWBrvqTxjJMZsOcO8v9lJLgWVcJEgj7tBLeErW7aUEtoNmj4xQR9e=s1600\" alt=\"TTEC internal message about Ragnar Locker attack\" \/><\/p>\n<p dir=\"ltr\" style=\"text-align: center;\"><em>A screenshot of the internal message<\/em><\/p>\n<p dir=\"ltr\" style=\"text-align: justify;\">TeleTech Holdings Incorporated, better known by its acronym, TTEC, handles the customer experience for most of the world\u2019s largest brands, including Credit Karma, Bank of America, Best Buy, Dish Network, Kaiser Permanente, Verizon, and USAA.<\/p>\n<p dir=\"ltr\" style=\"text-align: justify;\"><strong>Recent Development\u00a0<\/strong><\/p>\n<p style=\"text-align: justify;\">The US Federal Bureau of Investigation (FBI) <a href=\"https:\/\/www.documentcloud.org\/documents\/21397387-ragnarlocker-ransomware-indicators-of-compromise\">reports<\/a> that Ragnar Locker ransomware has breached the networks of at least 52 organizations in multiple critical infrastructure sectors. We urge organizations to review the provided\u00a0<a href=\"https:\/\/www.documentcloud.org\/documents\/21397387-ragnarlocker-ransomware-indicators-of-compromise\">indicators of compromise (IOCs)<\/a> to detect and block Ragnar Locker ransomware attacks.<\/p>\n<h2 dir=\"ltr\" style=\"text-align: justify;\"><strong>Securin\u2019s Ransomware Reports Called Out the Vulnerability<\/strong><\/h2>\n<p style=\"text-align: justify;\">In February 2021, Securin had issued a warning about the CVE in its <a href=\"https:\/\/cybersecurityworks.com\/resources\/whitepapers\/ransomware-2021-spotlight-report-through-the-lens-of-threat-and-vulnerability-management.html\" target=\"_blank\" rel=\"noopener\">Ransomware Spotlight Report 2021,<\/a> when the vulnerability was associated with five ransomware families, including WannaCry.<\/p>\n<p dir=\"ltr\" style=\"text-align: justify;\"><img decoding=\"async\" class=\"aligncenter\" style=\"height: 58px; width: 550px;\" src=\"https:\/\/lh5.googleusercontent.com\/3Paah2i9bxoKsMKsXqFZSngejEa-qrLS1ZdUKaAueAtIOW4pNNA5xVxRfHUaX30LjJANcAR_lbEWtabQjQhT2dRR1YCY74s5WMJ3v3czxWiQWqa6k-UsZAMcWBOwj6Mx1smKKGK0=s1600\" alt=\"CSW Ransomware Spotlight Report 2021 CVE association call out\" \/><\/p>\n<p dir=\"ltr\" style=\"text-align: justify;\">Updates in the <a href=\"https:\/\/cybersecurityworks.com\/resources\/whitepapers\/ransomware-index-update-q1-2021.html\" target=\"_blank\" rel=\"noopener\">Ransomware Spotlight Report 2021 Q1<\/a> point to the CVE being used by the APT group, Viking Spider. which, in turn, is associated with and known to use Ragnar Locker ransomware.<\/p>\n<p style=\"text-align: justify;\"><img decoding=\"async\" class=\"aligncenter\" style=\"height: 91px; width: 550px;\" src=\"https:\/\/lh5.googleusercontent.com\/yslmnchVjAaVaUeAXGhdIoTwBoLFtLUACYHb6e29XIGn0I_WDIsOvCq5Z_30uSYBUa3fo3I8je5epYxS2ULkDgS2ehJ72uYx2Ke5tSHq2ptzyHxdBoLaRrp4pNPW158a8hisTy3d=s1600\" alt=\"CSW Ransomware Spotlight Report 2021 Q1 Ransomware and APT associations\" \/><\/p>\n<h2 dir=\"ltr\" style=\"text-align: justify;\"><strong>CVE Findings<\/strong><\/h2>\n<p dir=\"ltr\" style=\"text-align: justify;\"><strong>Securin\u2019s expert pentesters and research analysts have analyzed the vulnerability leveraged by Ragnar Locker ransomware.\u00a0<\/strong><\/p>\n<p style=\"text-align: justify;\"><strong>CVE-2017-0213<\/strong><\/p>\n<ul style=\"text-align: justify;\">\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2017-0213\" target=\"_blank\" rel=\"noopener\">CVE-2017-0213<\/a>, also known as a Windows COM Elevation of Privilege Vulnerability, allows attackers to gain elevation of privilege when they run a specially crafted application on any version of Windows between 2016 and Windows 10.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">As it is a medium-severity flaw with a CVSS v3 score of 4.7, it can be overlooked by administrators; it has been a major concern since 2017.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">The CVE also has remote code execution (RCE) and privilege escalation (PE) capabilities.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">The vulnerability is also associated with five ransomware families, namely, Petya, Phobos, Neifilim, Mailto, and Wannacry, apart from Ragnar Locker.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">The CVE has also been exploited multiple times by three APT groups: APT28, APT33, and APT41.<\/p>\n<\/li>\n<\/ul>\n<h2 dir=\"ltr\" style=\"text-align: justify;\"><strong>Unlocking Ragnar Locker<\/strong><\/h2>\n<p style=\"text-align: justify;\">Here is a cheat sheet with information about\u00a0Ragnar Locker ransomware.<\/p>\n<table class=\"aligncenter\" style=\"width: 500px;\" border=\"1\" cellspacing=\"1\" cellpadding=\"1\" align=\"center\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><strong>Ragnar Locker Ransomware Cheat Sheet<\/strong><\/td>\n<\/tr>\n<tr>\n<td>\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" style=\"text-align: justify;\" role=\"presentation\">Ragnar Locker was first discovered in December 2019.<\/p>\n<\/li>\n<li dir=\"ltr\" style=\"text-align: justify;\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">It is known to use a \u2018double extortion\u2019 tactic; the attacker exfiltrates sensitive data first and then encrypts all files, threatening to leak the data if the ransom is not paid.<\/p>\n<\/li>\n<li dir=\"ltr\" style=\"text-align: justify;\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Ragnar Locker uses a Salsa20 file encryption algorithm. It also uses an RSA-2048 algorithm to encrypt file keys.<\/p>\n<\/li>\n<li dir=\"ltr\" style=\"text-align: justify;\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Some prominent victims of Ragnar Locker ransomware include computer memory maker, <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/adata-suffers-700-gb-data-leak-in-ragnar-locker-ransomware-attack\/\" target=\"_blank\" rel=\"noopener\">ADATA<\/a>, corporate travel firm, <a href=\"https:\/\/cybelangel.com\/blog\/ragnar-locker-targets-cwt\/\" target=\"_blank\" rel=\"noopener\">CWT<\/a>, Japanese game publisher, <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/capcom-hit-by-ragnar-locker-ransomware-1tb-allegedly-stolen\/\" target=\"_blank\" rel=\"noopener\">Capcom<\/a>, Italian liquor maker, <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/campari-hit-by-ragnar-locker-ransomware-15-million-demanded\/\" target=\"_blank\" rel=\"noopener\">Campari<\/a>, and French aerospace firm, <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/dassault-falcon-jet-reports-data-breach-after-ransomware-attack\/\" target=\"_blank\" rel=\"noopener\">Dassault <\/a>Falcon Jet.<\/p>\n<\/li>\n<li dir=\"ltr\" style=\"text-align: justify;\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Ragnar Locker changed their tactics when they <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/ransomware-gang-threatens-to-leak-data-if-victim-contacts-fbi-police\/\" target=\"_blank\" rel=\"noopener\">announced<\/a> that\u00a0 victims who seek the FBI&#8217;s help would have their files leaked.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" style=\"text-align: justify;\" role=\"presentation\">Ragnar Locker is also known to be associated with the advanced persistent threat (APT) group, Viking Spider.<\/p>\n<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2 style=\"text-align: justify;\"><strong>Ragnar Locker Attack Methodology<\/strong><\/h2>\n<p style=\"text-align: justify;\"><strong>The <a href=\"https:\/\/www.acronis.com\/en-sg\/articles\/ragnar-locker\/\" target=\"_blank\" rel=\"noopener\">attack methodology<\/a> incorporated by Ragnar Locker ransomware was analyzed by our researchers. Here are their findings:<\/strong><\/p>\n<ol style=\"text-align: justify;\">\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">The threat actor begins the attack by compromising the target company\u2019s network via RDP service using brute-force, hoping to uncover weak passwords or steal credentials.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Second-stage reconnaissance is carried out after successful initial access is established.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">CVE-2017-0213, a Windows COM Aggregate Marshaler vulnerability is exploited to escalate privileges.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">After privilege escalation, the attacker deploys a virtual machine hosting platform called VirtualBox along with a WindowsXP image, so that it can evade detection and start its ransomware encryption program. This technique is also used by the Maze ransomware operators.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">A specially-crafted VM file is loaded onto the VirtualBox to help map all local drives. This file allows the ransomware process running within the VM to encrypt all files. This encryption process appears to be a trusted one to administrators on the host security team and is usually ignored by security protocols.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Ragnar Locker operators then delete any shadow copies left after the encryption process and disable antivirus software from detecting and imposing countermeasures.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">A PowerShell script is used to move laterally from one network asset to another.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Before launching their ransomware, the attackers steal sensitive information and upload them to multiple servers to publish them if the ransom is not paid.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">The ransomware is then deployed onto the host network.<\/p>\n<\/li>\n<\/ol>\n<p style=\"text-align: justify;\"><img decoding=\"async\" class=\"aligncenter\" style=\"height: 292px; width: 500px;\" src=\"https:\/\/lh5.googleusercontent.com\/xtCK3aPUSjQhtYP9QDtSCkOG5b-8ecHS2KA2VVB388V1v0eqVFf3B2PqlnRT4bccFgPSox3uKNIg2OD2QbHKhYLlAhidSHaYvxUKKT8sxcHR4fUVBHht16SUBHt5JwNEY5mlusD9=s1600\" alt=\"Ragnar Locker Attack Methodology\" \/><\/p>\n<h2 dir=\"ltr\" style=\"text-align: justify;\"><strong>Ragnar Locker MITRE Map<\/strong><\/h2>\n<p dir=\"ltr\" style=\"text-align: justify;\"><img decoding=\"async\" class=\"aligncenter\" style=\"height: 100%; width: 100%;\" src=\"https:\/\/lh4.googleusercontent.com\/KLFfuF-tYLmlGt3p7_KW9K44b5BM0M3mqIb3gvC11Poe7ewvacBlvmXIhjFPNe_v74iJjqh9hidbASbinGRzeQL7XLV7qKc4bLI4jGV-x_sruTkNINnLiKuyjDEz8EnaXP-8k_LP=s1600\" alt=\"Ragnar Locker Mitre Att&amp;ck Mapping\" \/><\/p>\n<table style=\"width: 500px;\" border=\"1\" cellspacing=\"1\" cellpadding=\"1\" align=\"center\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><strong>IoCs for Ragnar Locker<\/strong><\/td>\n<\/tr>\n<tr>\n<td>\n<ul>\n<li>\u00a0MD5(packed): 6d122b4bfab5e75f3ae903805cbbc641<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">SHA256(packed): 68eb2d2d7866775d6bf106a914281491d23769a9eda88fc078328150b8432bb3<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">MD5: 6360b252b21fe015d667b093f6497e33<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">SHA256: 1de475e958d7a49ebf4dc342f772781a97ae49c834d9d7235546737150c56a9c<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">ragnar_{computer_id}<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">.keys<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">RGNR_{computer_id}.txt<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><a href=\"http:\/\/mykgoj7uvqtgl367.onion\/client\/?6bECA2b2AFFfBC1Dff0aa0EaaAd468bec0903b5e4Ea58ecde3C264bC55c7389E\" target=\"_blank\" rel=\"noopener\">http:\/\/mykgoj7uvqtgl367.onion\/client\/?6bECA2b2AFFfBC1Dff0aa0EaaAd468bec0903b5e4Ea58ecde3C264bC55c7389E<\/a><\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><a href=\"http:\/\/p6o7m73ujalhgkiv.onion\/?page_id=171\" target=\"_blank\" rel=\"noopener\">http:\/\/p6o7m73ujalhgkiv.onion\/?page_id=171<\/a><\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><a href=\"http:\/\/rgleaktxuey67yrgspmhvtnrqtgogur35lwdrup4d3igtbm3pupc4lyd.onion\/\" target=\"_blank\" rel=\"noopener\">http:\/\/rgleaktxuey67yrgspmhvtnrqtgogur35lwdrup4d3igtbm3pupc4lyd.onion\/<\/a><\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><a href=\"http:\/\/rgleak7op734elep.onion\/\" target=\"_blank\" rel=\"noopener\">http:\/\/rgleak7op734elep.onion\/<\/a><\/p>\n<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2 dir=\"ltr\" style=\"text-align: justify;\"><\/h2>\n<h2 dir=\"ltr\" style=\"text-align: justify;\"><strong>Increasing Awareness to Prevent Ransomware Attacks<\/strong><\/h2>\n<p style=\"text-align: justify;\">As the TTEC story is still evolving, the extent and severity of the impact is not certain. Immediately after the attack, TTEC disconnected their systems, a move that can be beneficial in containing the spread of the ransomware to partner networks. The full impact of the event will be uncovered in the months to come.<\/p>\n<p style=\"text-align: justify;\">With a spike in the number of ransomware attacks making the headlines since the <a href=\"https:\/\/cybersecurityworks.com\/blog\/ransomware\/darkside-the-ransomware-that-brought-a-us-pipeline-to-a-halt.html\" target=\"_blank\" rel=\"noopener\">Colonial Pipeline attack<\/a> in May 2021, the <a href=\"https:\/\/cybersecurityworks.com\/blog\/ransomware\/revil-brings-down-jbs-the-worlds-largest-meat-packer.html\" target=\"_blank\" rel=\"noopener\">JBS attack<\/a> in June 2021, and the <a href=\"https:\/\/cybersecurityworks.com\/blog\/ransomware\/kaseya-vsa-downed-by-revil-in-monumental-supply-chain-attack.html\" target=\"_blank\" rel=\"noopener\">REvil Kaseya attack<\/a> in July 2021, being aware of how susceptible organizations are to ransomware attacks is the need of the hour.<\/p>\n<p style=\"text-align: justify;\">We urge organizations to upgrade their servers, update their software, and carry out regular ransomware assessments to ensure that their systems are protected against the devastation of a ransomware attack.<\/p>\n<p>&nbsp;<\/p>\n<p dir=\"ltr\" style=\"text-align: justify;\"><strong>Securin&#8217;s in-depth research helps organizations become more resilient against ransomware. We recommend that organizations get a<a href=\"https:\/\/cybersecurityworks.com\/get-quote.php\" target=\"_blank\" rel=\"noopener\"> Ransomware Assessment<\/a> to identify gaps, understand exposure, and become resilient to ransomware attacks in the future.<\/strong><\/p>\n<p dir=\"ltr\" style=\"text-align: justify;\">\n","protected":false},"excerpt":{"rendered":"<p>US-based customer support and sales representative company handling the world\u2019s largest brands, TTEC, faces a network outage following a ransomware attack and sparks fears of a supply-chain attack. Read on to find out more about the attack.<\/p>\n","protected":false},"author":1,"featured_media":7426,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":""},"categories":[80,117],"tags":[442,425,125,439,91,367,88,440,441],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7425"}],"collection":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/comments?post=7425"}],"version-history":[{"count":7,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7425\/revisions"}],"predecessor-version":[{"id":17887,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7425\/revisions\/17887"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/media\/7426"}],"wp:attachment":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/media?parent=7425"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/categories?post=7425"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/tags?post=7425"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}