On September 14, 2021, TTEC sent an internal message to its employees about a widespread system outage that began on September 12. Later that evening, TTEC confirmed that the outage was a ransomware attack by the notorious Ragnar Locker group. The TTEC administration also shared a screen-grab of the notice to its employees.

TTEC internal message about Ragnar Locker attack

A screenshot of the internal message

TeleTech Holdings Incorporated, better known by its acronym, TTEC, handles the customer experience for most of the world’s largest brands, including Credit Karma, Bank of America, Best Buy, Dish Network, Kaiser Permanente, Verizon, and USAA.

Recent Development 

The US Federal Bureau of Investigation (FBI) reports that Ragnar Locker ransomware has breached the networks of at least 52 organizations in multiple critical infrastructure sectors. We urge organizations to review the provided indicators of compromise (IOCs) to detect and block Ragnar Locker ransomware attacks.

Securin’s Ransomware Reports Called Out the Vulnerability

In February 2021, Securin had issued a warning about the CVE in its Ransomware Spotlight Report 2021, when the vulnerability was associated with five ransomware families, including WannaCry.

CSW Ransomware Spotlight Report 2021 CVE association call out

Updates in the Ransomware Spotlight Report 2021 Q1 point to the CVE being used by the APT group, Viking Spider. which, in turn, is associated with and known to use Ragnar Locker ransomware.

CSW Ransomware Spotlight Report 2021 Q1 Ransomware and APT associations

CVE Findings

Securin’s expert pentesters and research analysts have analyzed the vulnerability leveraged by Ragnar Locker ransomware. 

CVE-2017-0213

  • CVE-2017-0213, also known as a Windows COM Elevation of Privilege Vulnerability, allows attackers to gain elevation of privilege when they run a specially crafted application on any version of Windows between 2016 and Windows 10.

  • As it is a medium-severity flaw with a CVSS v3 score of 4.7, it can be overlooked by administrators; it has been a major concern since 2017.

  • The CVE also has remote code execution (RCE) and privilege escalation (PE) capabilities.

  • The vulnerability is also associated with five ransomware families, namely, Petya, Phobos, Neifilim, Mailto, and Wannacry, apart from Ragnar Locker.

  • The CVE has also been exploited multiple times by three APT groups: APT28, APT33, and APT41.

Unlocking Ragnar Locker

Here is a cheat sheet with information about Ragnar Locker ransomware.

Ragnar Locker Ransomware Cheat Sheet
  • Ragnar Locker was first discovered in December 2019.

  • It is known to use a ‘double extortion’ tactic; the attacker exfiltrates sensitive data first and then encrypts all files, threatening to leak the data if the ransom is not paid.

  • Ragnar Locker uses a Salsa20 file encryption algorithm. It also uses an RSA-2048 algorithm to encrypt file keys.

  • Some prominent victims of Ragnar Locker ransomware include computer memory maker, ADATA, corporate travel firm, CWT, Japanese game publisher, Capcom, Italian liquor maker, Campari, and French aerospace firm, Dassault Falcon Jet.

  • Ragnar Locker changed their tactics when they announced that  victims who seek the FBI’s help would have their files leaked.

  • Ragnar Locker is also known to be associated with the advanced persistent threat (APT) group, Viking Spider.

Ragnar Locker Attack Methodology

The attack methodology incorporated by Ragnar Locker ransomware was analyzed by our researchers. Here are their findings:

  1. The threat actor begins the attack by compromising the target company’s network via RDP service using brute-force, hoping to uncover weak passwords or steal credentials.

  2. Second-stage reconnaissance is carried out after successful initial access is established.

  3. CVE-2017-0213, a Windows COM Aggregate Marshaler vulnerability is exploited to escalate privileges.

  4. After privilege escalation, the attacker deploys a virtual machine hosting platform called VirtualBox along with a WindowsXP image, so that it can evade detection and start its ransomware encryption program. This technique is also used by the Maze ransomware operators.

  5. A specially-crafted VM file is loaded onto the VirtualBox to help map all local drives. This file allows the ransomware process running within the VM to encrypt all files. This encryption process appears to be a trusted one to administrators on the host security team and is usually ignored by security protocols.

  6. Ragnar Locker operators then delete any shadow copies left after the encryption process and disable antivirus software from detecting and imposing countermeasures.

  7. A PowerShell script is used to move laterally from one network asset to another.

  8. Before launching their ransomware, the attackers steal sensitive information and upload them to multiple servers to publish them if the ransom is not paid.

  9. The ransomware is then deployed onto the host network.

Ragnar Locker Attack Methodology

Ragnar Locker MITRE Map

Ragnar Locker Mitre Att&ck Mapping

IoCs for Ragnar Locker

Increasing Awareness to Prevent Ransomware Attacks

As the TTEC story is still evolving, the extent and severity of the impact is not certain. Immediately after the attack, TTEC disconnected their systems, a move that can be beneficial in containing the spread of the ransomware to partner networks. The full impact of the event will be uncovered in the months to come.

With a spike in the number of ransomware attacks making the headlines since the Colonial Pipeline attack in May 2021, the JBS attack in June 2021, and the REvil Kaseya attack in July 2021, being aware of how susceptible organizations are to ransomware attacks is the need of the hour.

We urge organizations to upgrade their servers, update their software, and carry out regular ransomware assessments to ensure that their systems are protected against the devastation of a ransomware attack.

 

Securin’s in-depth research helps organizations become more resilient against ransomware. We recommend that organizations get a Ransomware Assessment to identify gaps, understand exposure, and become resilient to ransomware attacks in the future.

Share This Post On