1. Home
  2. Software
  3. Ragnar Locker

Ragnar Locker

Ragnar Locker is a ransomware that has been in use since at least December 2019.[1][2]

ID: S0481
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 29 June 2020
Last Modified: 06 September 2023
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1543 .003 创建或修改系统进程: Windows Service

Ragnar Locker has used sc.exe to create a new service for the VirtualBox driver.[1]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

Ragnar Locker has used cmd.exe and batch scripts to execute commands.[1]
Enterprise T1120 外围设备发现

Ragnar Locker may attempt to connect to removable drives and mapped network drives.[1]
Enterprise T1562 .001 妨碍防御: Disable or Modify Tools

Ragnar Locker has attempted to terminate/stop processes and services associated with endpoint security products.[1]
Enterprise T1486 数据加密以实现影响

Ragnar Locker encrypts files on the local machine and mapped drives prior to displaying a note demanding a ransom.[1][2]
Enterprise T1489 服务停止

Ragnar Locker has attempted to stop services associated with business applications and databases to release the lock on files used by these applications so they may be encrypted.[1]
Enterprise T1218 .007 系统二进制代理执行: Msiexec

Ragnar Locker has been delivered as an unsigned MSI package that was executed with msiexec.exe.[1]
.010 系统二进制代理执行: Regsvr32

Ragnar Locker has used regsvr32.exe to execute components of VirtualBox.[1]
.011 系统二进制代理执行: Rundll32

Ragnar Locker has used rundll32.exe to execute components of VirtualBox.[1]
Enterprise T1614 系统位置发现

Before executing malicious code, Ragnar Locker checks the Windows API GetLocaleInfoW and doesn't encrypt files if it finds a former Soviet country.[3]
Enterprise T1490 系统恢复抑制

Ragnar Locker can delete volume shadow copies using vssadmin delete shadows /all /quiet.[1]
Enterprise T1569 .002 系统服务: Service Execution

Ragnar Locker has used sc.exe to execute a service that it creates.[1]
Enterprise T1564 .006 隐藏伪装: Run Virtual Instance

Ragnar Locker has used VirtualBox and a stripped Windows XP virtual machine to run itself. The use of a shared folder specified in the configuration enables Ragnar Locker to encrypt files on the host operating system, including files on any mapped drives.[1]

Groups That Use This Software

ID Name References
G0061 FIN8

[4]

References

  1. SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020.
  2. Gold, B. (2020, April 27). Cynet Detection Report: Ragnar Locker Ransomware. Retrieved June 29, 2020.
  1. FBI. (2020, November 19). Indicators of Compromise Associated with Ragnar Locker Ransomware. Retrieved September 12, 2024.
  2. Symantec Threat Hunter Team. (2023, July 18). FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware. Retrieved August 9, 2023.