Ragnar Locker is a ransomware gang that made its global debut around late 2019, early 2020, targeting multiple large organizations on the Windows operating system in efforts to extort cryptocurrency (usually BTC) in exchange for data.
Ragnar Locker is infamous for using the double extortion technique, where the gang exfiltrates the victim’s sensitive data before encrypting it to get additional leverage for payments.
The gang claims that they would publish their victim’s stolen data immediately, if the law enforcement or professional experts were involved to deal with the situation. In such an event, the gang publishes the data on their underground .onion website (labelled “Wall of Shame”), which they have done for at least 12 known victims.
On March 7, 2022, the FBI’s cyber division IC3 issued a flash alert describing technical details and indicators for the gang impacting about 52 different entities globally. Sectors included communication, energy, software companies, travel, and financial services.
On January 8, 2022, Ragnar Locker Gang leaked Indian Telecom Company Subex and its cybersecurity division Sectrio’s sensitive data on its leak site.
Upon being executed, Ragnar Locker Ransomware uses the Windows API GetLocaleInfoW() to identify the system language on its victim machine. If found to be one of Azerbaijani, Armenian, Belorussian, Kazakh, Kyrgyz, Moldavian, Tajik, Russian, Turkmen, Uzbek, Ukrainian, or Georgian, it terminates itself.
Typically, this ransomware would make use of tons of Windows API calls as part of its operations, out of which some noteworthy ones are:
CreateFileW() – To retrieve information about physical drives on the system
GetLogicalDrives() – To retrieve information about logical drives on the system
GetVolumeInformationA() – To retrieve information about the file system on given volume
EnumServicesStatus() – To retrieve name and status of each service specified in service control manager database
OpenSCManagerA() – To retrieve information from the service control manager database
SHGetSpecialFolderPathW() – To retrieve information about the path in which it will drop the ransom note
To elevate privileges, Ragnar Locker exploits CVE-2017-0213 in Windows COM Aggregate Marshaler to run arbitrary code and for obfuscation, it makes use of junk arithmetic code and encryption.
Instead of targeting the files and folders which needs to be encrypted, the ransomware whitelists folders (like Windows, Program Data, Internet Explorer, Google) which it will exclude to make sure the operating system continues to function normally and encrypts rest of the data. Also, it will not encrypt some specific extensions like .db, .sys, .dll, .msi, .exe, .drv
Ragnar Locker leaves behind a .txt ransom note with instructions and can be distinguished by the extensions .RGNR_<hash>, .r4gN4r_<hash>, .ragnar_<hash> where <hash> is the 8-digit hash of the system’s NETBIOS name.
Understanding the importance of detecting these exploitation methods used by the threat actors, the NetWitness Platform offers below threat content that aids in identifying not just Ragnar Locker’s malicious activity, but other ransomware adversaries as well that might employ similar techniques.
App Rules (Endpoint):
Runs WMI Command-line Tool
Creates Local Service
Runs Service Control Tool
Deletes Shadow Volume Copies
Runs Regsvcs or Regasm
Modifies Registry Using Command-line Registry Tool
Deletes Backup Catalog
Creates Run Key
Outbound from Unsigned Temporary Directory
Autorun Unsigned In Temp Directory
Cmd or Powershell Runs RunDLL32 with No Arguments
[Community] RagnarLocker Ransomware YARA Rules
Endpoint Hybrid, NetWitness 11.7.0
Ragnar Locker appears to be yet another hostile and aggressive ransomware gang which keep evolving their tactics and techniques.
NetWitness can aid in identifying the presence of this threat within an environment so that you can respond to it prior to the adversary causing major loss in the form of intellectual property exfiltration and/or finances.