This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Ragnar Locker Ransomware: The Rampage Continues…

Sarthak
Occasional Contributor Occasional Contributor
Occasional Contributor
‎2022-05-26 02:24 AM

Background

 

Ragnar Locker is a ransomware gang that made its global debut around late 2019, early 2020, targeting multiple large organizations on the Windows operating system in efforts to extort cryptocurrency (usually BTC) in exchange for data.

 

Ragnar Locker is infamous for using the double extortion technique, where the gang exfiltrates the victim’s sensitive data before encrypting it to get additional leverage for payments.

 

The gang claims that they would publish their victim’s stolen data immediately, if the law enforcement or professional experts were involved to deal with the situation. In such an event, the gang publishes the data on their underground .onion website (labelled “Wall of Shame”), which they have done for at least 12 known victims.

 

Recent Developments

 

On May 11, 2022, Simonson Lumber became the gang’s most recent victim of public data leak.

 

On March 7, 2022, the FBI’s cyber division IC3 issued a flash alert describing technical details and indicators for the gang impacting about 52 different entities globally. Sectors included communication, energy, software companies, travel, and financial services.

 

On January 8, 2022, Ragnar Locker Gang leaked Indian Telecom Company Subex and its cybersecurity division Sectrio’s sensitive data on its leak site.

 

Technical Details

 

Upon being executed, Ragnar Locker Ransomware uses the Windows API GetLocaleInfoW() to identify the system language on its victim machine. If found to be one of Azerbaijani, Armenian, Belorussian, Kazakh, Kyrgyz, Moldavian, Tajik, Russian, Turkmen, Uzbek, Ukrainian, or Georgian, it terminates itself.

 

Typically, this ransomware would make use of tons of Windows API calls as part of its operations, out of which some noteworthy ones are:

  • CreateFileW() – To retrieve information about physical drives on the system
  • GetLogicalDrives() – To retrieve information about logical drives on the system
  • GetVolumeInformationA() – To retrieve information about the file system on given volume
  • EnumServicesStatus() – To retrieve name and status of each service specified in service control manager database
  • OpenSCManagerA() – To retrieve information from the service control manager database
  • SHGetSpecialFolderPathW() – To retrieve information about the path in which it will drop the ransom note

To elevate privileges, Ragnar Locker exploits CVE-2017-0213 in Windows COM Aggregate Marshaler to run arbitrary code and for obfuscation, it makes use of junk arithmetic code and encryption.

 

Instead of targeting the files and folders which needs to be encrypted, the ransomware whitelists folders (like Windows, Program Data, Internet Explorer, Google) which it will exclude to make sure the operating system continues to function normally and encrypts rest of the data.
Also, it will not encrypt some specific extensions like .db, .sys, .dll, .msi, .exe, .drv

 

Ragnar Locker leaves behind a .txt ransom note with instructions and can be distinguished by the extensions .RGNR_<hash>, .r4gN4r_<hash>, .ragnar_<hash> where <hash> is the 8-digit hash of the system’s NETBIOS name.

 

NetWitness Detections

 

Understanding the importance of detecting these exploitation methods used by the threat actors, the NetWitness Platform offers below threat content that aids in identifying not just Ragnar Locker’s malicious activity, but other ransomware adversaries as well that might employ similar techniques.

 

  • App Rules (Endpoint):
    • Runs WMI Command-line Tool
    • Creates Local Service
    • Runs Service Control Tool
    • Deletes Shadow Volume Copies
    • Runs Regsvcs or Regasm
    • Modifies Registry Using Command-line Registry Tool
    • Deletes Backup Catalog
    • Creates Run Key
    • Outbound from Unsigned Temporary Directory
    • Autorun Unsigned In Temp Directory
    • Cmd or Powershell Runs RunDLL32 with No Arguments

  • LUA Parsers:
    • windows_command_shell_lua
    • HTTP_lua
    • fingerprint_pdf_lua
    • SMB_lua

  • Community Content:
    • [Community] RagnarLocker Ransomware YARA Rules

Screenshot (6).png

 Endpoint Hybrid, NetWitness 11.7.0

 

 

Conclusion

 

Ragnar Locker appears to be yet another hostile and aggressive ransomware gang which keep evolving their tactics and techniques.

NetWitness can aid in identifying the presence of this threat within an environment so that you can respond to it prior to the adversary causing major loss in the form of intellectual property exfiltration and/or finances.

 

Indicators of Compromise (IOCs)

 

 

References

 

© 2022 RSA Security LLC or its affiliates. All rights reserved.