The FBI warns that personal and corporate systems running Windows XP or its virtual machine variations are vulnerable from a particularly insidious foe: ransomware known as RagnarLocker.

Ransomware is software designed to infect devices and encrypt the files they contain, with the purpose of allowing cybercriminals to hold them to ransom (hence the name). They work by finding vulnerabilities in different operating systems (OS), and as such, each is specifically tailored to attack a certain OS.

Windows XP is a tested-and-true veteran of the OS world. Despite its age — Windows XP was released in 2001 — its versatility, ease of use, and stable operation have allowed it to remain in wide use with households and institutions around the world. At the beginning of March, the FBI issued a warning that weaknesses in the system have led to the emergence of insidious and powerful ransomware that has been quite successful until now.

Locked for ransom

According to the FBI, RagnarLocker is best identified by looking for the extension “.RGNR_”. The actors behind an attack will start by compromising a company or individual’s private network, through which they will install the ransomware on any connected devices. This step is achieved either by brute-forcing weak passwords (i.e. automatically generating and inputting passwords) or by using stolen or leaked credentials.

After getting access to a machine, RagnarLocker sets to its inglorious work. The program will scan the device for any files of interest. It will then decide which files need to remain unencrypted to ensure the device continues running normally — such as Windows-specific files. Next, it sets up a specially-crafted virtual machine image on the computer, so any users continue believing everything is normal. The software then copies and transfers sensitive data to a different computer before encrypting them on the compromised terminals. The ransomware code is protected with various obfuscation techniques such as adding junk code that doesn’t do anything, as well as adding some encryption to the files to prevent recovery of the data.

The final step is for the criminals to spring the “double extortion” tactic. According to the FBI, this consists of the attacker demanding ransom for the encrypted files, while also threatening to leak the data if the victim refuses to pay.

Despite this, the FBI advises victims not to pay up, as this encourages the criminals to continue plying their trade. There is also no guarantee that they will not leak or sell the data after receiving the ransom, either, nor that they will actually decrypt your files.

At least 52 entities in sectors ranging from financial services, information technology, manufacturing, energy, all the way up to government institutions have suffered from RagnarLocker attacks since January 2022, the FBI explains.

Due to the way it operates, local backups or virtual machine backups may also be exposed to RagnarLocker. Virtual machine backups are more effective in allowing you to maintain access to your files. However, the threat of having your data leaked still remains.

As of 2014, Microsoft has discontinued support for Windows XP. This leaves it vulnerable to ill-intended actors, who have had ample time to study and exploit its weaknesses. Despite this, the OS is still heavily used, being the primary operating system of desktop PCs in several parts of the world. Several companies have started offering guidance and protection services for the venerable OS as a result, although the safest way forward probably still is upgrading to an OS that is actively receving updates and support.