Ragnar Locker is a ransomware gang that made its global debut around late 2019, early 2020, targeting multiple large organizations on the Windows operating system in efforts to extort cryptocurrency (usually BTC) in exchange for data.
Ragnar Locker is infamous for using the double extortion technique, where the gang exfiltrates the victim’s sensitive data before encrypting it to get additional leverage for payments.
The gang claims that they would publish their victim’s stolen data immediately, if the law enforcement or professional experts were involved to deal with the situation. In such an event, the gang publishes the data on their underground .onion website (labelled “Wall of Shame”), which they have done for at least 12 known victims.
On May 11, 2022, Simonson Lumber became the gang’s most recent victim of public data leak.
On March 7, 2022, the FBI’s cyber division IC3 issued a flash alert describing technical details and indicators for the gang impacting about 52 different entities globally. Sectors included communication, energy, software companies, travel, and financial services.
On January 8, 2022, Ragnar Locker Gang leaked Indian Telecom Company Subex and its cybersecurity division Sectrio’s sensitive data on its leak site.
Upon being executed, Ragnar Locker Ransomware uses the Windows API GetLocaleInfoW() to identify the system language on its victim machine. If found to be one of Azerbaijani, Armenian, Belorussian, Kazakh, Kyrgyz, Moldavian, Tajik, Russian, Turkmen, Uzbek, Ukrainian, or Georgian, it terminates itself.
Typically, this ransomware would make use of tons of Windows API calls as part of its operations, out of which some noteworthy ones are:
To elevate privileges, Ragnar Locker exploits CVE-2017-0213 in Windows COM Aggregate Marshaler to run arbitrary code and for obfuscation, it makes use of junk arithmetic code and encryption.
Instead of targeting the files and folders which needs to be encrypted, the ransomware whitelists folders (like Windows, Program Data, Internet Explorer, Google) which it will exclude to make sure the operating system continues to function normally and encrypts rest of the data.
Also, it will not encrypt some specific extensions like .db, .sys, .dll, .msi, .exe, .drv
Ragnar Locker leaves behind a .txt ransom note with instructions and can be distinguished by the extensions .RGNR_ , .r4gN4r_ , .ragnar_ where is the 8-digit hash of the system’s NETBIOS name.
Understanding the importance of detecting these exploitation methods used by the threat actors, the NetWitness Platform offers below threat content that aids in identifying not just Ragnar Locker’s malicious activity, but other ransomware adversaries as well that might employ similar techniques.
Endpoint Hybrid, NetWitness 11.7.0
Ragnar Locker appears to be yet another hostile and aggressive ransomware gang which keep evolving their tactics and techniques.
NetWitness can aid in identifying the presence of this threat within an environment so that you can respond to it prior to the adversary causing major loss in the form of intellectual property exfiltration and/or finances.