Ragnar Locker

Written By Henrik Ottosson

Ragnar Locker is a family of ransomware, which first became prominent in late 2019 when it became infamous for affecting large organizations in many industries, ranging from video game developers to energy companies, and trying to squeeze large amounts of cryptocurrency from its victims. Ragnar Locker is ransomware that affects devices running the Microsoft Windows operating system.

One of the features that highlights Ragnar Locker is that it is aimed specifically at remote management software that is often used by managed service providers (MSPs).

Ragnar Locker also affects security personnel and anyone who uses any of these browsers: Tor browser, Internet Explorer, Google, Opera, Opera Software, Mozilla, and Mozilla Firefox, etc.

In general, this malware is distributed manually through network monitoring and pre-distributed software on the network. This shows that the distribution of Ragnar Locker is a slightly more complex operation than most campaigns for spreading ransomware.

General attack methodology

Before Ragnar Locker ransomware is executed, attackers inject a module that can collect sensitive data from infected machines and upload it to their servers. Then the attacker behind the malware informs the victim that the files will be released to the public if the ransom is not paid.

Attackers first infiltrate networks, infrastructures and organizations with the help of found vulnerabilities or even through "social engineering" such as phishing attacks. At the same time, reconnaissance and data filtering is performed before ransomware is executed. When the data filtering process is complete, ransomware is installed.

When the ransomware software starts, it lists processes that are running and stops them if any of these services contain specific strings, such as: SQL, backup, etc. In such cases, certain services are often disabled as a way to circumvent security measures and ientify database and backup systems to increase the impact of the attack. Database and email services are also stopped so that their data can be encrypted during the infection process.

Ragnar Locker and other ransomwares use several techniques to damage backups of Windows environments. With this process in place, it is more difficult to repair the damage.

The encryption process

After that, Ragnar Locker will begin the encryption process. Ragnar Locker adds the hard-coded extension ".ragnar_ *" which is added at the end of the file name and "*" is replaced by a generated and unique ID. All available files on physical devices are encrypted, and eventually the notepad.exe process opens, displaying the password entry file created in the victim's system directory. In detail, a redemption note is released in each folder. When a file is encrypted, the "RAGNAR" file cursor is also added to the end of each encrypted file.

This ransomware is not equipped with a mechanism to detect if the device has already been infected. Therefore, if the malware reaches the same device more than once, it will encrypt the device over and over again.

However, Ragnar Locker is not executed in the countries of the former Soviet Union. This data encryption malware infects computers based on their language settings. When first started, Ragnar Locker checks the configured Windows language settings. Ragnar Locker ends the process if the setting is configured as one of the countries of the former Soviet Union.

Ransom message

A "HOW TO DECRYPT FILES.txt" file is added to each folder. The summary of the message is that the victim can not decrypt files without a decryption program. That program can be purchased by transferring a sum of Bitcoin to the included BTC wallet. Example of message (some details masked with "x", incorrect spelling and grammar not corrected):

HOW TO DECRYPT FILES.txt - Notepad

YOUR SYSTEM IS LOCKED AND ALL YOUR IMPORTANT DATA HAS BEEN ENCRYPTED.

DON'T WORRY YOUR FILES ARE SAFE.

TO RETURN ALL TO NORMALLY YOU MUST BUY THE CERBER DECRYPTOR PROGRAM.

PAYMENTS ARE ACCEPTED ONLY THROUGH THE BITCOIN NETWORK.

YOU CAN GET THEM VIA ATM MACHINE OR ONLINE

https://xxxxxxxxxxxx.com/ (find a ATM)

https://www.xxxxxxxxxxxxx.com/ (buy instantly online any country)

THE PRICE FOR DECRYPTOR SOFTWARE IS xxxx$

BTC ADRESS : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (where you need to make the payment)

VERRY IMPORTANT !

DO NOT TRY TO SCAN WITH ANTIVIRUS YOU RISK LOSING YOUR DATA .

ANTIVIRUSES ONLY DESTROY THE ENCRYPTED DATA , THEY DO NOT KNOW THE ALGORITH WITH WICH THE ENTIRE SYSTEM WAS ENCRYPTED.

THE ONLY WAY TO DECRYPT YOUR SYSTEM AND RETURN TO NORMAL IS TO BUY THE ORIGINAL DECRYPTOR SOFTWARE.

For more information : xxxxxxxxx@xxxxxxxx.com (24/7)

Subject: SYSTEM-LOCKED-ID: xxxxxxxxx

How to protect yourself

As with all ransomware and other malicious software, there are measures you can implement to reduce the risk of being exposed.

  • Use anti-virus software on all devices within the organization

  • Keep all devices up to date, especially their respective operating systems

  • Have well-functioning and well-covered backup routines.

    • If possible, backups should be stored off-line, completely disconnected from the primary system

  • Ensure good safety awareness among employees, especially with regard to phishing

Henrik Ottosson
Previous

REvil
Next

EDPB GDPR Article 15