Ragnar Locker Ransomware hits Customer Care Giant TTEC
Posted on Oct 21, 2021 | Updated on Mar 23, 2022 | By Surojoy Gupta
On September 14, 2021, an internal message was passed on by TTEC to its employees about a widespread system outage that began on September 12. TTEC confirmed that it was a ransomware attack attributed to the notorious Ragnar Locker group later that evening. The TTEC administration shared a screen-grab of the notice to the employees in the company.
A screenshot of the internal message
TeleTech Holdings Incorporated, better known by its acronym, TTEC, handles the customer experience for most of the world’s largest brands including Credit Karma, Bank of America, Best Buy, Dish Network, Kaiser Permanente, Verizon, and USAA.
The US Federal Bureau of Investigation (FBI) reports that Ragnar Locker ransomware has breached the networks of at least 52 organizations in multiple critical infrastructure sectors. We urge organizations to review the provided indicators of compromise (IOCs) to detect and block Ragnar Locker ransomware attacks.
CSW’s Ransomware Reports Call Out the Vulnerability
CSW initially warned of the CVE in February 2021 in the Ransomware Spotlight Report 2021 when the vulnerability was associated with five ransomware families, including WannaCry.
The CVE updates in the Ransomware Spotlight Report 2021 Q1, point to the CVE being used by the APT group, Viking Spider. Viking Spider, in turn, is associated with and known to use Ragnar Locker ransomware.
CSW’s expert pentesters and research analysts have looked at the vulnerability leveraged by Ragnar Locker ransomware. Here is their analysis:
CVE-2017-0213, also known as a Windows COM Elevation of Privilege Vulnerability, allows attackers to gain elevation of privilege when they run a specially crafted application on any Windows version between Windows 2016 and Windows 10.
Since it is a medium severity flaw with a CVSS v3 score of 4.7, it can be overlooked by administrators and has been a major concern since 2017.
The CVE also has remote code execution (RCE) and privilege escalation (PE) capabilities.
The vulnerability is also associated with five ransomware families, namely, Petya, Phobos, Neifilim, Mailto, and Wannacry, apart from Ragnar Locker.
The CVE has also been exploited multiple times by three APT groups--APT 28, APT 33, and APT 41.
Unlocking Ragnar Locker
Here is a cheat sheet with information about Ragnar Locker ransomware.
|Ragnar Locker Ransomware Cheat Sheet|
Ragnar Locker Attack Methodology
The attack methodology incorporated by Ragnar Locker ransomware was analyzed by our researchers. Here are their findings:
The threat actor begins the attack by compromising the target company’s network via RDP service using brute-force, hoping to uncover weak passwords or steal credentials.
Second-stage reconnaissance is carried out after successful initial access is established.
CVE-2017-0213, a Windows COM Aggregate Marshaler vulnerability is exploited to escalate privileges.
After privilege escalation, the attacker deploys a virtual machine hosting platform called VirtualBox along with a WindowsXP image so that it can evade detection and start its ransomware encryption program. This technique is also used by the Maze ransomware operators.
A specially-crafted VM file is loaded onto the VirtualBox to help map all local drives. This file allows the ransomware process running within the VM to encrypt all files. This encryption process appears to be a trusted one to administrators on the host security team and is usually ignored by security protocols.
Ragnar Locker operators then delete any shadow copies left after the encryption process and disable antivirus software from detecting and imposing countermeasures.
A PowerShell script is used to move laterally from one network asset to another.
Before launching their ransomware, the attackers steal sensitive information and upload them to multiple servers in order to publish them if the ransom is not paid.
The ransomware is then deployed onto the host network.
Ragnar Locker MITRE Map
|IoCs for Ragnar Locker|
Increasing awareness to prevent ransomware attacks
Since the TTEC story is still evolving, the extent and severity of the impact are still uncertain. Immediately after the attack, TTEC disconnected their systems, a move that can be beneficial in containing the spread of the ransomware to partner networks. The full impact of the event will be uncovered in the months to come.
With a spike in the number of ransomware attacks making the headlines since the Colonial Pipeline attack in May 2021, the JBS attack in June 2021, and the REvil Kaseya attack in July 2021, being aware of how susceptible organizations are to ransomware attacks is the need of the hour.
We urge organizations to upgrade their servers, update their software and carry out regular ransomware assessments to ensure that their systems are protected against the wrath of a ransomware attack.
CSW’s in-depth research helps organizations become more resilient against ransomware. We recommend organizations get a Ransomware Assessment done to know the gaps, understand the exposure, and become resilient to ransomware attacks in the future.
Never miss a patch or an update with CSW's Patch Watch Newsletter. Subscribe now!