# Ragnar Locker – Malware analysis **[seguranca-informatica.pt/ragnar-locker-malware-analysis/](https://seguranca-informatica.pt/ragnar-locker-malware-analysis/)** August 19, 2021 The [popularity of ransomware threats does not appear to be decreasing. Instead, more and](https://resources.infosecinstitute.com/top-6-malware-strains-to-watch-out-for/) sophisticated ransomware threats are being deployed. Ragnar Locker is a new data encryption malware in this style. Ragnar Locker is ransomware that affects devices running Microsoft Windows operating systems. It was initially observed towards the end of December 2019 as part of a series of attacks against compromised networks. In general, this malware is deployed manually after an initial compromise, network reconnaissance and pre-deployed tasks on the network. This shows that this is a more complex operation than most ransomware propagation campaigns. Before starting the Ragnar Locker ransomware, attackers inject a module capable of collecting sensitive data from infected machines and upload it to their servers. Next, threat actors behind the malware notify the victim the files will be released to the public if the ransom is not paid. ## Modus operandi The next diagram shows how criminals are compromising infrastructures and organizations using this data encryption malware. **_Figure 1: High-level diagram of the Ragnar Locker infection chain._** ----- As highlighted in the diagram above, there is a group of steps executed by Ragnar Locker operators every time an organization or infrastructure is impacted. Digging into the details, attackers first compromise networks, infrastructures, and organizations using found vulnerabilities or even through social engineering such as phishing attacks, spear phishing [and BEC attacks.](https://resources.infosecinstitute.com/bec-attacks-email-account-compromise-works/) During the compromise process, reconnaissance, pre-deployment tasks, and data exfiltration are performed before executing the piece of ransomware (Figure 1 — labels 1 and 2). When the data exfiltration process is completed, a ransomware deployment is performed manually (label 3). Notice that each malware sample is unique, with the specific ransom note hardcoded inside the malware. The affected group name, the links to the bitcoin wallet, and the links to a dark web blog are embedded inside the binary as presented below. **_Figure 2: Parts of the ransom notes from the recent attacks._** When the ransomware starts, it enumerates running processes and stops if some of these services contain specific strings, such as: ----- ``` Vss sql memtas mepocs sophos veeam backup pulseway logme logmein connectwise splashtop Kaseya ``` Ransomware in this line often disables some services as a way to bypass security protections and also database and backup systems to increase the impact of the attack. Also, database and mail services are stopped so that their data can be encrypted during the infection process. One of the particularities that spotlight Ragnar Locker is that it is targeting specifically remote management software often used by managed service providers (MSPs), such as the popular ConnectWise and Kaseya software. This data encryption malware infects computers based on their language settings. When first started, Ragnar Locker checks the configured Windows language preferences. This piece of malware terminates the process if the setting is configured as one of the former USSR countries. **_Figure 3: Ragnar Locker stops when executed on former USSR countries._** After that, Ragnar Locker will begin the encryption process. When encrypting files, it will skip files in the following folders, file names and extensions. One of the interesting findings is the “Tor browser” folder. ----- **_Figure 4: Folders not encrypted by Ragnar Locker._** This detail reveals this malware is also impacting security professionals and everyone that use this specific web browser to navigate in the dark web. The completed list can be observed in the following table. ----- ``` kernel32.dll Windows Windows.old Tor browser Internet Explorer Google Opera Opera Software Mozilla Mozilla Firefox $Recycle.Bin ProgramData All Users autorun.inf boot.ini bootfont.bin bootsect.bak bootmgr bootmgr.efi bootmgfw.efi desktop.ini iconcache.db ntldr ntuser.dat ntuser.dat.log ntuser.ini thumbs.db .sys .dll .lnk .msi .drv .exe ``` Ragnar Locker adds the hardcoded extension “.ragnar_*” appended to the end of the file name and “*” is replaced by a generated and unique ID. All the available files inside physical drives are encrypted and, in the end, the notepad.exe process is opened and showing the ransom note file created on the victim’s system directory, as shown in the diagram below. ----- **_Figure 5: Ragnar Locker encryption process._** ----- **_Figure 6: Ransom note created on “Public Documents” folder._** In detail, a ransom note file is dropped every folder, not including those observed in Table 2. The ransom note file starts with the “RGNR_*” prefix, and the ID also used and appended to the encrypted files. **_Figure 7: Ransom note file and parts of “Ragnar Secret key” redacted._** In order to encrypt the files, the malware gets and decodes the ransom note from the .keys sections, the public key and some configs. ----- **_Figure 8: PE file .keys sections with the ransom note, encryption public key and other_** _configs encoded._ This section is decoded in runtime and can be observed below. ----- ----- **_Figure 9: Public key, configs and ransom note decoded during the malware execution._** When a file is encrypted, the “RAGNAR” file marker is also added to the end of each encrypted file. ----- **_Figure 10: “RAGNAR” marker appended at the end of the encrypted file._** This ransomware is not equipped with a mechanism to detect whether the computer has already been compromised. A particularity is that if the malware reaches the same device more than once, it will encrypt the device over and over again. Figure 11 presents this detail, where the files were encrypted three times by Ragnar Locker. **_Figure 11: The same device compromised three times by Ragnar Locker._** Ragnar Locker and other mediatic ransomwares use several techniques and commands to damage the Windows shadow copies. With this process in place, repairing potential data encryption attacks is harder. ----- ``` vssadmin delete shadows /all /quiet wmic.exe shadowcopy delete ## Ragnar blog, ransom page and chat ``` Proof-of-Concept (PoC) files and images are published on the group blog on the dark web (Figure 1 — label 4) after a compromise. **_Figure 12: Ragnar Locker blog available on the dark web._** ----- **_Figure 13: A leak of a specific group compromised by Ragnar Locker operators in mid-April_** _2020._ Inside the malware is hardcoded a link to a page with a countdown and the process to pay the ransom. ----- **_Figure 14: Countdown page with the bitcoin wallet and chat button._** ----- **_Figure 15: Chat used to perform communications between ransomware operators and_** _victims._ ## Prevention measures We are living in an era where ransomware continues to grow, and the number of attacks has increased especially during the COVID-19 pandemic. There is no magic solution to prevent attacks of this nature, however, there is a set of good practices that can be applied in order to minimize the impact of data encryption attack. The use of an antivirus is mandatory. This software should be regularly updated Patch updates regularly and update all the software including operating systems, network devices, applications, mobile phones and other software if applicable Maintain a proper backup and restore mechanism and made it mandatory Regularly test the recovery function of backup and restore procedures and also test the data integrity of backups Conduct simulated ransomware preparedness tests. This is a rule of thumb to check the response of your ecosystem against these kinds of attacks If you use Microsoft Office, install Microsoft Office viewers and always keep macros disabled by default Limit access to mapped drives whenever possible and keep file sharing disabled by default. In general, ransomware looks into shared drives and encrypts files available on the network Don’t enable remote services. The organizations with RDP, VPN, proxies and servers are to be provided with better IT security standards. **[The article was initially published by Pedro Tavares on resources.infosecinstitute.com.](https://resources.infosecinstitute.com/topic/lazaruss-vhd-ransomware-malware-spotlight/)** ----- **All rights reserved ®** **[infosecinstitute.com](http://infosecinstitute.com/)** [Pedro Tavares](https://seguranca-informatica.pt/author/pipocaz/) **[Pedro Tavares is a professional in the field of information security working as an Ethical](https://www.linkedin.com/in/sirpedrotavares/)** Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog segurancainformatica.pt. In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources [Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that](https://feed.seguranca-informatica.pt/) compiles phishing and malware campaigns targeting Portuguese citizens. [Read more here.](https://seguranca-informatica.pt/contacto/) -----