Windows XP BlissSource: Microsoft

What you need to know

  • The FBI has issued a warning pertaining to the ransomware RagnarLocker and the custom Windows XP virtual machine it deploys within.
  • The FBI's warning is primarily for the purpose of educating individuals on one of the many ransomware threats currently making rounds on the web.

While it's no secret that Windows XP is a favorite of many legitimate, upstanding entities and still dominates operating system market share in one part of the world, not everyone who's a fan of the OS or its virtual machine variations has the best intentions in mind. Enter: RagnarLocker.

RagnarLocker is ransomware being circulated by cybercriminals for the purpose of encrypting files and holding them for ransom. The FBI notes that it doesn't encourage ransomware victims to pay up, since that runs the risk of encouraging cybercriminals. Not to mention, there's no guarantee the criminals will release their hold on your files even after you pay. As for the threat of RagnarLocker specifically, here's how the FBI describes it (via ZDNet):

RagnarLocker is identified by the extension ".RGNR_," where is a hash of the computer's NETBIOS name. The actors, identifying themselves as "RAGNAR_LOCKER," leave a .txt ransom note, with instructions on how to pay the ransom and decrypt the data. RagnarLocker uses VMProtect, UPX, and custom packing algorithms and deploys within an attacker's custom Windows XP virtual machine on a target's site.

The FBI notes that as of January 2022, a minimum of 52 entities in sectors such as financial services, information technology, critical manufacturing, energy, and government have had to deal with the consequences of RagnarLocker. The ransomware operates on a mass-encryption basis, actively choosing specific files not to encrypt in order to avoid attracting immediate attention while it locks things up.

Though RagnarLocker may be a particularly pesky foe, it's far from the only instance of ransom-focused malware on the loose. In the modern times we're going through right now, there's a ransomware black hole on the loose.