Ragnar Locker Ransomware is a type of malware that encrypts a victim’s files and then demands a ransom to decrypt them. The ransomware initially appeared in May of 2019, and it has since been utilized in attacks against businesses all around the world.
Background
Ragnar Locker employs the “double extortion” strategy. The “double extortion” strategy involves stealing and then encrypting crucial files. The files are extracted to a dark web site, and the attackers threaten to make them public if the ransom is not paid.
The actors behind Ragnar Locker will do reconnaissance on the targeted network, exfiltrate sensitive information, encrypt files, and then alert the victim that if the ransom is not paid, the stolen files will be disclosed to the public. In prior attacks, the threat actor behind the ransomware has been known to demand millions of dollars in payment and to generate a ransom note that contains the company name. The malware lists all active services on the infected machine and disables any that contain a specified string. Ragnar is a little piece of malware created in the C/C++ computer language.
Technical Analysis
Delivery Mechanism
The threat actor starts the attack by infiltrating the company’s network via RDP, using brute force to guess weak passwords, or utilizing stolen credentials obtained from the Dark Web. The attacker then conducts second-stage reconnaissance. The attacker uses the CVE-2017-0213 vulnerability in the Windows COM Aggregate Marshaler to execute arbitrary code with elevated privileges. After gaining privilege escalation, the attacker may install a VirtualBox virtual machine (VM) with a Windows XP image to avoid detection: this is an early use of a virtual machine image to launch the ransomware encryption attack. Since then, the Maze family of ransomware operators has used the technique.
The specially-crafted VM image is loaded into the VirtualBox VM, mapping all local discs as read/writable. This enables the ransomware software executing within the VM to encrypt all files. Many security tools will ignore the encryption because it looks like a trusted VirtualBox process to the host files.
The Ragnar Locker operator then deletes any existing shadow copies, disables any identified antivirus defenses, and moves from one company network asset to another using a PowerShell script. Lastly, before deploying Ragnar Locker ransomware, the attacker grabs important files and transfers them to one or more locations, where they will be made public if the victim refuses to pay the ransom.
Locale Check
Ragnar Locker analyses the locale information to prevent infection in CIS nations. It lists the following languages as being excluded: It retrieves the victim’s operating system default language by calling GetLocaleInfoW() with LANG SYSTEM DEFAULT and LOCALE_SENGLISHLANGUAGENAME. The ransomware process is terminated with the “666” exit code if the machine’s default language matches one in the CIS list.
Encryption Technique
Ragnar Locker, interestingly, employs a Salsa20 encryption technique with a proprietary matrix. The matrix is 64 bytes in size and contains produced keys (put in rearranged order), with 8 bytes indicating the stream position. Ragnar Locker removes 16 bytes from the second key, leaving the stream position values with zero bytes. The encrypted Salsa20 key data can be found in the encrypted file, along with the footer signature _RAGNAR_.
Instead of targeting the files and folders that must be encrypted, the ransomware whitelists directories (such as Windows, Program Data, Internet Explorer, and Google) that it will exclude ensuring that the operating system continues to function correctly while encrypting the rest of the data. It will also not encrypt files with specified extensions such as .db,.sys,.dll,.msi,.exe, and .dev.
Ragnar Locker leaves behind a .txt ransom note with instructions and can be distinguished by the extensions.RGNR_, .r4gN4r_, .ragnar_ where is the 8-digit hash of the system’s NetBIOS name.
Ransom Note
Ragnar Locker includes a hardcoded company id encoded with Base64 to round out the ransom message. RGNR_{computer id.}txt is the name of the ransom note file.
*****************************************************************************************************************
HELLO —example.com !
If you reading this message, then your network was PENETRATED and all of your files and data has been ENCRYPTED
by RAGNAR_LOCKER !
*****************************************************************************************************************
!!!!! WARNING !!!!!
DO NOT Modify, rename, copy or move any files or you can DAMAGE them and decryption will be impossible.
DO NOT use any third party or public decryption software, it also may damage files.
DO NOT Shutdown or reset your system
————————————-
There is ONLY ONE possible way to get back your files – contact us and pay for our special decryption key !
For your GUARANTEE we will decrypt 2 of your files FOR FREE, as a proof of our capabilities
Don’t waste your TIME, the link for contacting us will be deleted if there is no contact made in closest future and you will never restore your DATA.
HOWEVER if you will contact us within 2 day since get penetrated – you can get a very SPECIAL PRICE.
ATTENTION !
We had downloaded more than 10TB of data from your fileservers and if you don’t contact us for payment, we will publish it or sell to interested parties.
Here is just a small part of your files that we have, for a proof (use Tor Browser for open the link) :
We gathered the most sensitive and confidential information about your transactions, billing, contracts, clients and partners. And be assure that if you wouldn’t pay,
all files and documents would be publicated for everyones view and also we would notify all your clients and partners about this leakage with direct links.
So if you want to avoid such a harm for your reputation, better pay the amount that we asking for.
=====================================================================================================
! HERE IS THE SIMPLE MANUAL HOW TO GET CONTACT WITH US VIA LIVE CHAT !
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
a) Download and install TOR browser from this site : https://torproject.org
b) For contact us via LIVE CHAT open our website :
c) For visit our NEWS PORTAL with your data, open this website :
d) If Tor is restricted in your area, use VPN
When you open LIVE CHAT website follow rules :
Follow the instructions on the website.
At the top you will find CHAT tab.
Send your message there and wait for response (we are not online 24/7, So you have to wait for your turn).
***********************************************************************************
—RAGNAR SECRET—
<Secret Key>
—RAGNAR SECRET—
***********************************************************************************
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1078 | – Valid Accounts |
| Execution | T1059 | – Command and Scripting Interpreter |
| Privilege Escalation | T1548 T1138 |
– Abuse Elevation Control Mechanism – Access Token Manipulation |
| Defense Evasion | T1112 T1027 T1562.001 |
– Modify Registry – Obfuscated Files or Information – Impair Defenses: Disable or Modify Tools |
| Discovery | T1082 T1083 T1135 |
– System Information Discovery – File and Directory Discovery – Network Share Discovery |
| Impact | T1490 T1489 T1486 |
– Inhibit System Recovery – Service Stop – Data Encrypted for Impact |
Recommendations
- Never open suspicious email attachments or web links.
- Maintain regular backups and keep them offline or on a separate network.
- Switch on automatic software updates on your computer, mobile device, and other linked devices where available and practical.
- Use tough unique passwords and activate multi-factor authentication to safeguard critical data and accounts.
- Reduce the attack surface by eliminating capabilities that your organization does not require.
- Staff should be educated and informed on the risks and tactics that cybercriminals employ to launch attacks and steal data.