April 18, 2023 HAWKEYE

Ragnar Locker Ransomware

Ragnar Locker Ransomware is a type of malware that encrypts a victim’s files and then demands a ransom to decrypt them. The ransomware initially appeared in May of 2019, and it has since been utilized in attacks against businesses all around the world.


Ragnar Locker employs the “double extortion” strategy. The “double extortion” strategy involves stealing and then encrypting crucial files. The files are extracted to a dark web site, and the attackers threaten to make them public if the ransom is not paid.

The actors behind Ragnar Locker will do reconnaissance on the targeted network, exfiltrate sensitive information, encrypt files, and then alert the victim that if the ransom is not paid, the stolen files will be disclosed to the public. In prior attacks, the threat actor behind the ransomware has been known to demand millions of dollars in payment and to generate a ransom note that contains the company name. The malware lists all active services on the infected machine and disables any that contain a specified string. Ragnar is a little piece of malware created in the C/C++ computer language.

Technical Analysis

Delivery Mechanism

The threat actor starts the attack by infiltrating the company’s network via RDP, using brute force to guess weak passwords, or utilizing stolen credentials obtained from the Dark Web. The attacker then conducts second-stage reconnaissance. The attacker uses the CVE-2017-0213 vulnerability in the Windows COM Aggregate Marshaler to execute arbitrary code with elevated privileges. After gaining privilege escalation, the attacker may install a VirtualBox virtual machine (VM) with a Windows XP image to avoid detection: this is an early use of a virtual machine image to launch the ransomware encryption attack. Since then, the Maze family of ransomware operators has used the technique.

The specially-crafted VM image is loaded into the VirtualBox VM, mapping all local discs as read/writable. This enables the ransomware software executing within the VM to encrypt all files. Many security tools will ignore the encryption because it looks like a trusted VirtualBox process to the host files.

The Ragnar Locker operator then deletes any existing shadow copies, disables any identified antivirus defenses, and moves from one company network asset to another using a PowerShell script. Lastly, before deploying Ragnar Locker ransomware, the attacker grabs important files and transfers them to one or more locations, where they will be made public if the victim refuses to pay the ransom.

Locale Check

Ragnar Locker analyses the locale information to prevent infection in CIS nations. It lists the following languages as being excluded: It retrieves the victim’s operating system default language by calling GetLocaleInfoW() with LANG SYSTEM DEFAULT and LOCALE_SENGLISHLANGUAGENAME. The ransomware process is terminated with the “666” exit code if the machine’s default language matches one in the CIS list.

Encryption Technique

Ragnar Locker, interestingly, employs a Salsa20 encryption technique with a proprietary matrix. The matrix is 64 bytes in size and contains produced keys (put in rearranged order), with 8 bytes indicating the stream position. Ragnar Locker removes 16 bytes from the second key, leaving the stream position values with zero bytes. The encrypted Salsa20 key data can be found in the encrypted file, along with the footer signature _RAGNAR_.

Instead of targeting the files and folders that must be encrypted, the ransomware whitelists directories (such as Windows, Program Data, Internet Explorer, and Google) that it will exclude ensuring that the operating system continues to function correctly while encrypting the rest of the data. It will also not encrypt files with specified extensions such as .db,.sys,.dll,.msi,.exe, and .dev.

Ragnar Locker leaves behind a .txt ransom note with instructions and can be distinguished by the extensions.RGNR_, .r4gN4r_, .ragnar_ where is the 8-digit hash of the system’s NetBIOS name.

Ransom Note

Ragnar Locker includes a hardcoded company id encoded with Base64 to round out the ransom message. RGNR_{computer id.}txt is the name of the ransom note file.


HELLO —example.com !

If you reading this message, then your network was PENETRATED and all of your files and data has been ENCRYPTED



!!!!! WARNING !!!!!

DO NOT Modify, rename, copy or move any files or you can DAMAGE them and decryption will be impossible.

DO NOT use any third party or public decryption software, it also may damage files.

DO NOT Shutdown or reset your system


There is ONLY ONE possible way to get back your files – contact us and pay for our special decryption key !

For your GUARANTEE we will decrypt 2 of your files FOR FREE, as a proof of our capabilities

Don’t waste your TIME, the link for contacting us will be deleted if there is no contact made in closest future and you will never restore your DATA.

HOWEVER if you will contact us within 2 day since get penetrated – you can get a very SPECIAL PRICE.


We had downloaded more than 10TB of data from your fileservers and if you don’t contact us for payment, we will publish it or sell to interested parties.

Here is just a small part of your files that we have, for a proof (use Tor Browser for open the link) :

We gathered the most sensitive and confidential information about your transactions, billing, contracts, clients and partners. And be assure that if you wouldn’t pay,

all files and documents would be publicated for everyones view and also we would notify all your clients and partners about this leakage with direct links.

So if you want to avoid such a harm for your reputation, better pay the amount that we asking for.




a) Download and install TOR browser from this site : https://torproject.org

b) For contact us via LIVE CHAT open our website :

c) For visit our NEWS PORTAL with your data, open this website :

d) If Tor is restricted in your area, use VPN

When you open LIVE CHAT website follow rules :

Follow the instructions on the website.

At the top you will find CHAT tab.

Send your message there and wait for response (we are not online 24/7, So you have to wait for your turn).



<Secret Key>



MITRE ATT&CK® Techniques

Tactic Technique ID Technique Name
Initial Access T1078 – Valid Accounts
Execution T1059 – Command and Scripting Interpreter
Privilege Escalation T1548
– Abuse Elevation Control Mechanism
– Access Token Manipulation
Defense Evasion T1112
– Modify Registry
– Obfuscated Files or Information
– Impair Defenses: Disable or Modify Tools
Discovery T1082
– System Information Discovery
– File and Directory Discovery
– Network Share Discovery
Impact T1490
– Inhibit System Recovery
– Service Stop
– Data Encrypted for Impact


  • Never open suspicious email attachments or web links.
  • Maintain regular backups and keep them offline or on a separate network.
  • Switch on automatic software updates on your computer, mobile device, and other linked devices where available and practical.
  • Use tough unique passwords and activate multi-factor authentication to safeguard critical data and accounts.
  • Reduce the attack surface by eliminating capabilities that your organization does not require.
  • Staff should be educated and informed on the risks and tactics that cybercriminals employ to launch attacks and steal data.
, , , ,


We welcome you to contact us for more information
about HAWKEYE - SOC As A Service.