{
	"id": "cecbb9cf-c783-4f7e-84d5-c80f1f8d5c4b",
	"created_at": "2026-04-06T00:22:39.067272Z",
	"updated_at": "2026-04-10T03:21:28.777159Z",
	"deleted_at": null,
	"sha1_hash": "1edc393b8e78e9c942a84c22b8ae29f29d4fb923",
	"title": "Ragnar Locker ransomware - what you need to know | Tripwire",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 55422,
	"plain_text": "Ragnar Locker ransomware - what you need to know | Tripwire\r\nBy Graham Cluley\r\nPublished: 2022-03-10 · Archived: 2026-04-05 21:14:35 UTC\r\nWhat is this Ragnar Locker thing I’ve heard about?\r\nRagnar Locker is a family of ransomware, which first came to prominence in early 2020 when it became notorious\r\nfor hitting large organisations, attempting to extort large amounts of cryptocurrency from its victims.\r\nSo just your bunch of cybercriminals then?\r\nYes, although on their underground website, where they leak files stolen from their corporate victims, they attempt\r\nto portray themselves rather differently.\r\nIn the Ragnar Locker gang's \"About us\" section they make the rather unconvincing claim that they \"don't pursuit\r\naim to make huge damage to anyone's business\", whilst admitting that \"if it would be necessary, no doubt we will\r\ndo what we promise and the consequences will be disastrous.\"\r\nThe criminals even attempt to convince their victims that they can help improve security:\r\n\"We are interesting in finding weaknesses and vulnerabilities in networks and we are good at this, we\r\ncan help to improve the security measures, that's why we give a chance to make a deal and providing\r\nlist of recommendations and penetrations reports.\" \"Companies under attack of Ragnar_Locker can\r\ncount it as a bug hunting reward, we are just illustrating what can happens. But don't forget there are a\r\nlot of peoples in internet who don't want money - someone might want only to crash and destroy. So\r\nbetter pay to us and we will help you to avoid such issues in future.\"\r\nHmm. It sounds like they're making an offer you can't refuse…\r\nYes, the words may seem kindly but there's no disguising the implicit threat that if you don't pay the ransom after\r\nthey exploit your network, things could get very nasty indeed.\r\nBecause your data will be encrypted, and could be leaked online?\r\nPrecisely. The FBI is clearly concerned, and has issued an alert warning that the Ragnar Locker gang has infected\r\nat least 52 critical infrastructure organisations across America with its ransomware.\r\nSystems have been hit in the critical manufacturing, energy, financial services,\r\ngovernment, and information technology sectors, says the FBI.\r\nIt's bad enough for any company to get hit, but critical infrastructure…\r\nRight.\r\nhttps://www.tripwire.com/state-of-security/security-data-protection/ragnar-locker-ransomware-what-you-need-to-know/\r\nPage 1 of 3\n\nAnd that's why the FBI's alert is raising awareness of the Ragnar Locker ransomware threat and offering\r\ninformation about how it works, indicators of compromise, and tips on how to better secure your business.\r\nIs it just a problem facing North American businesses?\r\nNo, Ragnar Locker can be used against organisations around the world, although interestingly the ransomware\r\nterminates if it identifies that a computer identified as \"Azerbaijani,\" \"Armenian,\" \"Belorussian,\", \"Kazakh,\"\r\n\"Kyrgyz,\" \"Moldavian,\" \"Tajik,\" \"Russian,\" \"Turkmen,\" \"Uzbek,\" \"Ukrainian,\" or \"Georgian.\"\r\nMight that indicate what part of the world the ransomware originates from?\r\nYou might think that, I couldn't possibly comment. But it is generally believed that some cybercriminal gangs\r\ndeliberately avoid hitting companies in their own country, in the hope of avoiding unwanted interest from local\r\nlaw enforcement agencies.\r\nGotcha. So when the Ragnar Locker ransomware triggers - what does it encrypt?\r\nWhat's perhaps quicker to describe is what it doesn't encrypt. In order to allow the computer to operate \"normally\"\r\nduring the encryption process, it avoids encrypting files in the following folders on the C: drive:\r\nWindows\r\nWindows.old\r\nMozilla\r\nMozilla Firefox\r\nTor browser\r\nInternet Explorer\r\n$Recycle.Bin\r\nProgram Data\r\nGoogle\r\nOpera\r\nOpera Software\r\nIn addition, when cycling through files, Ragnar Locker ignores files with the following\r\nextensions:\r\n.db\r\n.sys\r\n.dll\r\n.lnk\r\n.msi\r\n.drv\r\n.exe\r\nOf course, these are all filetypes that can normally be easily replaced - unlike data files which normally carry\r\ngreater value.\r\nhttps://www.tripwire.com/state-of-security/security-data-protection/ragnar-locker-ransomware-what-you-need-to-know/\r\nPage 2 of 3\n\nBut to encrypt files it needs to have found its way into your organisation somehow. How does it do that?\r\nThe Ragnar Locker gang is like many other cybercriminal groups targeting businesses with ransomware - taking\r\nadvantage of internet-exposed services such as RDP, brute-forcing passwords or using stolen credentials. Once in,\r\nan attacker will attempt to gain greater privileges and move laterally throughout the network.\r\nSo how can my company protect itself from Ragnar Locker?\r\nThe best advice is to follow the recommendations on how to protect your organisation from other ransomware.\r\nThose include:\r\nmaking secure offsite backups.\r\nrunning up-to-date security solutions and ensuring that your computers are protected with the latest\r\nsecurity patches against vulnerabilities.\r\nusing hard-to-crack unique passwords to protect sensitive data and accounts, as well as enabling multi-factor authentication.\r\nencrypting sensitive data wherever possible.\r\nreducing the attack surface by disabling functionality which your company does not need.\r\neducating and informing staff about the risks and methods used by cybercriminals to launch attacks and\r\nsteal data.\r\nIf my company has fallen victim to Ragnar Locker, should we pay the ransom?\r\nThat’s a decision that only your company can make. What is clear is that the more companies that pay a ransom,\r\nthe more likely it is that criminals will launch similar attacks against others in the future.\r\nAt the same time, your business may feel it has no choice but to make the hard decision to pay. After all, the\r\nalternative may put the entire business at risk.\r\nWhatever your decision, you should inform law enforcement agencies of the incident and work with them to help\r\nthem investigate who might be behind the attacks.\r\nAnd remember this: paying the ransom does not necessarily mean you have erased the security problems that\r\nallowed you to be infected in the first place. If you don’t find out what went wrong – and why – and fix it, then\r\nyou could easily fall victim to further ransomware attacks in the future.\r\nEditor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not\r\nnecessarily reflect those of Tripwire, Inc.\r\nSource: https://www.tripwire.com/state-of-security/security-data-protection/ragnar-locker-ransomware-what-you-need-to-know/\r\nhttps://www.tripwire.com/state-of-security/security-data-protection/ragnar-locker-ransomware-what-you-need-to-know/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.tripwire.com/state-of-security/security-data-protection/ragnar-locker-ransomware-what-you-need-to-know/"
	],
	"report_names": [
		"ragnar-locker-ransomware-what-you-need-to-know"
	],
	"threat_actors": [],
	"ts_created_at": 1775434959,
	"ts_updated_at": 1775791288,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1edc393b8e78e9c942a84c22b8ae29f29d4fb923.pdf",
		"text": "https://archive.orkl.eu/1edc393b8e78e9c942a84c22b8ae29f29d4fb923.txt",
		"img": "https://archive.orkl.eu/1edc393b8e78e9c942a84c22b8ae29f29d4fb923.jpg"
	}
}