{
	"id": "66f83484-6f42-42fe-91ce-b9a2c659eeaf",
	"created_at": "2026-04-06T00:13:19.090674Z",
	"updated_at": "2026-04-10T13:11:42.17136Z",
	"deleted_at": null,
	"sha1_hash": "795c1b440672824996bddc9e5e8c23a819990f70",
	"title": "Targeted ransomware: it’s not just about encrypting your data!",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2620245,
	"plain_text": "Targeted ransomware: it’s not just about encrypting your data!\r\nBy Dmitry Bestuzhev\r\nPublished: 2020-11-11 · Archived: 2026-04-05 14:45:08 UTC\r\nWhen we talk about ransomware, we need to draw a line between what it used to be and what it currently is. Why?\r\nBecause nowadays ransomware is not just about encrypting data – it’s primarily about data exfiltration. After that,\r\nit’s about data encryption and leaving convincing proof that the attacker was in the network, and finally, it’s\r\nextortion. And again, it’s not about the data loss itself but about publishing stolen data on the internet. Let’s call it\r\n“Ransomware 2.0”.\r\nWhy is it so important to state this? Because many organizations still believe that it’s all about malware, and if\r\nyour anti-malware protection is good enough, you’ll be OK. As long as people think this way, the ransomware\r\nthreat actors will continue to succeed again and again.\r\nIn most cases, the initial vector of attack is exploiting some already known vulnerabilities in commercial VPN\r\nsoftware. Other cases involve abusing RDP-enabled machines exposed to the internet. Then there’s the\r\nexploitation of the vulnerable router firmware. As you can see, it’s not necessarily about malware but also bad\r\npractices, a lack of patching cycles, and general security procedures.\r\nSometimes ransomware threat actors may rely on traditional malware like botnet implants previously dropped by\r\nother cybercriminal groups. And finally, if we recall the Tesla story, the attempt to infect that factory was through\r\nsomeone working at the company. That means physical human access is also a vector. It is complex.\r\nIn all cases, the original entry point is to start network reconnaissance, then lateral movement, then data\r\nexfiltration. Once it is done, it finally comes to the “coup de grace” – the ransomware. By the time ransomware is\r\ndeployed, the anti-malware product might be already deleted or disabled by the threat actor because they already\r\nhad full control over the domain network and could operate as legitimate administrators. So it is about a full red\r\nteam operation that relies on different hacking techniques, including those to disable anti-malware solutions\r\nmostly through legitimate tools and misc scripts. That way, the threat actor doesn’t bother if the ransomware itself\r\nwill be detected or not.\r\nDifferent ransomware groups use different TTPs and different encryption techniques. Today we want to talk about\r\ntwo of them: Ragnar Locker and Egregor – a veteran and a newbie. Both singular and distant at the same time.\r\nRagnar Locker\r\nEarly variants of this malware were discovered in 2019; however, Ragnar Locker gained notoriety in the first half\r\nof 2020 when it started to attack large organizations.\r\nRagnar Locker is highly targeted, to the extent that each individual sample is specifically tailored for the\r\norganization the actors are attacking. The group behind it loves to abuse RDP, while their preferred payment\r\nmethod is bitcoins.\r\nhttps://securelist.com/targeted-ransomware-encrypting-data/99255/\r\nPage 1 of 13\n\nThis group owns three .onion domains available on Tor and one Surface Web domain registered on June 16, 2020.\r\nIf the victims refuse to pay, their stolen data is published in a so-called Wall of Shame section.\r\nScreenshot of the Wall of Shame where stolen data is exposed\r\nCuriously, this group is positioning itself as a bug bounty hunting group. They claim the payment is their bounty\r\nfor discovering vulnerabilities that were exploited and to provide decryption for the files and OpSec training for\r\nthe victim; and, finally, for not publishing the stolen data. Of course, if the victim refuses to pay, the data goes\r\npublic. Besides that, if the victim chats with the Ragnar Locker threat actor and fails to pay, then the chat is\r\nexposed along with the stolen data.\r\nIn July 2020, Ragnar Locker made a public announcement that they had joined so-called “Maze Cartel”\r\ndistraction concept. It means to say that the groups cooperated, exchanging information stolen from victims and\r\npublishing it on their websites.\r\nExample of a victim allegedly provided by Maze and published on the Ragnar Locker Wall of Shame page\r\nYou can read more about Maze Ransomware here.\r\nBased on the list of victims who refused to pay, the main target of Ragnar Locker are US based companies, while\r\nthe type of industry varies.\r\nhttps://securelist.com/targeted-ransomware-encrypting-data/99255/\r\nPage 2 of 13\n\nGeography of Ragnar Locker victims (download)\r\nhttps://securelist.com/targeted-ransomware-encrypting-data/99255/\r\nPage 3 of 13\n\nRagnar Locker victims by industry (download)\r\nTechnical description\r\nFor our analysis we chose a recently encountered sample of the malware: 1195d0d18be9362fb8dd9e1738404c9d\r\nWhen started, Ragnar Locker checks the system locale of the machine it is executing on. If determines that it is the\r\nlocale of one of the countries listed in the screenshot below, it will cease operation and exit without doing\r\nanything else.\r\nhttps://securelist.com/targeted-ransomware-encrypting-data/99255/\r\nPage 4 of 13\n\nFor countries not on the above list, it will proceed to stop services with names containing any of the substrings\r\nhardcoded in the malware sample and obfuscated by RC4:\r\nAfterwards, Rangar Locker will terminate running processes according to another substring list contained inside\r\nthe Trojan body:\r\nFinally, when all the preparation is done, the Trojan will search for available drives and encrypt the victim’s files.\r\nFor file encryption RagnarLocker uses a custom stream cipher based on the Salsa20 cipher. Instead of the standard\r\ninitialization ‘magic’ constants sigma = “expand 32-byte k” and tau = “expand 16-byte k” normally used in\r\nSalsa20, the Trojan generates new random values for each processed file. This is an unnecessary step which makes\r\nthe cipher incompatible with the standard Salsa20, but doesn’t in fact enhance its security.\r\nThe key and nonce values are also uniquely generated for each file, and will be encrypted along with the constants\r\ndescribed above by RSA using the public 2048-bit key hardcoded in the Trojan’s body.\r\nThe RNG is based on the MS CryptoAPI function CryptGenRandom, which is considered secure, and the SHA-256 hash algorithm. The RNG implementation looks a bit awkward, but we haven’t found any critical flaws in it.\r\nhttps://securelist.com/targeted-ransomware-encrypting-data/99255/\r\nPage 5 of 13\n\nThe RNG procedure pseudocode used by a recent Ragnar Locker variant\r\nAfter encrypting the content of each of the victim’s files, Ragnar Locker will append the encrypted key, nonce and\r\ninitialization constants to the encrypted file, and finalize by adding the marker “!@#_®agna®_#@!”\r\nTrailing bytes of a file encrypted by Ragnar Locker\r\nhttps://securelist.com/targeted-ransomware-encrypting-data/99255/\r\nPage 6 of 13\n\nThe ransom notes dropped by the Trojan contain the name of the victim organization which clearly indicates that\r\nthe criminals utilize a targeted approach, identify their victim and carefully prepare the attack.\r\nThe ransom note also attempts to further scare the victim into paying by emphasizing that the threat actors have\r\nstolen confidential data in addition to the file encryption performed by the Trojan.\r\nEgregor\r\nEgregor ransomware is a new strain that was discovered in September 2020, and after the initial analysis we\r\nnoticed code similarities between this new threat and Sekhmet ransomware, as well as the notorious Maze\r\nransomware, which announced on November 1st, 2020 that they shut down.\r\nEgregor keeps at least one .onion domain and two Surface Web domains. The first Surface Web domain was\r\nregistered on September 6, 2020 and the second one on October 19, 2020. At the time of writing, both Surface\r\nWeb domains were intermittent. That is probably why on the main page of the Onion domain, there is a big\r\ndisclaimer with this notice:\r\nhttps://securelist.com/targeted-ransomware-encrypting-data/99255/\r\nPage 7 of 13\n\nThe Egregor ransomware is typically distributed by the criminals following a network breach. The malware\r\nsample is a DLL file that needs to be launched with the correct password given as a command line argument. The\r\nDLL is usually dropped from the Internet. On occasions, the domains used to spread it exploit names or words\r\nused in the victim’s industry.\r\nEgregor is probably the most aggressive Ransomware family in terms of negotiation with the victims. It gives\r\nonly 72 hours to contact the threat actor. Otherwise, the victim’s data is processed for publishing.\r\nThe ransomware payment is negotiated and agreed upon via a special chat assigned to each victim. The payment\r\nis received in BTC.\r\nExample of a chat negotiating to pay the ransom\r\nTechnical description\r\nb21930306869a3cdb85ca0d073a738c5\r\nAs mentioned above, the malware sample only works if a correct password is provided during launch. The packer\r\nof the malware will use this password to decrypt the payload binary. A missing or incorrect argument will result in\r\nan incorrect decryption of the payload, which will be unable to execute and will crash instead.\r\nThis technique is intended to hinder both automatic analysis in sandbox-type systems, and manual analysis by\r\nresearchers: without the correct password it is impossible to unpack and analyze the payload binary.\r\nAfter unpacking two layers of the malicious packer, we end up with an obfuscated binary which is still not\r\nsuitable for static analysis. The obfuscation techniques used in Egregor strongly resemble those in Maze and\r\nSekhmet: the code is ‘torn apart’ by control flow obfuscation using conditional and unconditional jumps,\r\nPUSH+JMP instead of RETN, and so on.\r\nhttps://securelist.com/targeted-ransomware-encrypting-data/99255/\r\nPage 8 of 13\n\nControl flow obfuscation example\r\nWhen the payload starts executing, first of all, it will check the system and user language of the OS to avoid\r\nencrypting machines having one of the following languages installed:\r\nArmenian (Armenia)\r\nAzerbaijani (Cyrillic, Azerbaijan)\r\nAzerbaijani (Latin, Azerbaijan)\r\nBelarusian (Belarus)\r\nGeorgian (Georgia)\r\nKazakh (Kazakhstan)\r\nKyrgyz (Kyrgyzstan)\r\nRomanian (Moldova)\r\nRussian (Moldova)\r\nRussian (Russia)\r\nTajik (Cyrillic, Tajikistan)\r\nTatar (Russia)\r\nTurkmen (Turkmenistan)\r\nUkrainian (Ukraine)\r\nUzbek (Latin, Uzbekistan)\r\nThen it will attempt to terminate the following processes:\r\nhttps://securelist.com/targeted-ransomware-encrypting-data/99255/\r\nPage 9 of 13\n\nThis is intended to make writable potentially valuable files such as documents or databases that may have been in\r\nuse at the moment of infection. In addition, some programs typically used by researchers, e.g., procmon or\r\ndumpcap, are also listed for termination to further hinder dynamic analysis.\r\nEgregor uses a hybrid file encryption scheme based on the stream cipher ChaCha and the asymmetric cipher RSA.\r\nThe RSA-2048 master public key of the criminals is embedded in the trojan’s body.\r\nWhen executing on a victim’s machine, Egregor generates a new unique pair of session RSA keys. The session\r\nprivate RSA key is exported and encrypted by ChaCha with a uniquely generated key + nonce, then the key and\r\nnonce are encrypted by the master public RSA key. The results are saved in a binary file (in our case it’s named\r\nC:ProgramDatadtb.dat), as well as a base64-encoded string in the ransom notes.\r\nFor each data file Egregor processes, it generates a new 256-bit ChaCha key and 64-bit nonce, encrypts the file\r\ncontent by ChaCha, then encrypts them using the session public RSA key, and saves them along with some\r\nauxiliary information in the end of the encrypted file.\r\nThe last 16 bytes of each encrypted file are comprised of a dynamic marker: a random DWORD and this same\r\nDWORD xor’ed with the value 0xB16B00B5 which equals ‘BIGBOOBS’ in so-called leet speak, originally used\r\nby “hackers, crackers and script kiddies”, according to Wikipedia.\r\nhttps://securelist.com/targeted-ransomware-encrypting-data/99255/\r\nPage 10 of 13\n\nPart of the file encryption procedure pseudocode\r\nThe main page of the data leak website contains news about recently attacked companies along with some\r\nsarcastic remarks written by the ransomware group.\r\nThe archive section of the site lists the victims of the extortionists and the links to download the stolen data.\r\nhttps://securelist.com/targeted-ransomware-encrypting-data/99255/\r\nPage 11 of 13\n\nBased on the information of those victims who refused to pay, the geographic reach of Egregor is way more\r\nextensive than that of Ragnar Locker:\r\nThe same is true for the number of attacked industries:\r\nConclusions\r\nUnfortunately, Ransomware 2.0 is here to stay. When we talk about 2.0, we mean targeted ransomware with data\r\nexfiltration. The whole extortion process is primarily about the victims’ data not being published on the internet\r\nand only then about decryption. Why is it so important for the victims that their data is not published? Because\r\npossible lawsuits and fines due to violations of regulations like HIPAA, PIC or GDPR can result in immense\r\nfinancial losses, reputational damage and potential bankruptcy.\r\nAs long as companies see ransomware threat actors as typical malware threats, they will also fail. It is not about\r\njust endpoint protection; it is about red teaming, business analysts working with exfiltrated documents evaluating\r\nthe ransom to pay. It is also about data theft, of course, and public shaming, leading to all sorts of problems in the\r\nend.\r\nOur next chapter will cover something else – a perfect umbrella for different threat actors with different\r\nmotivations operating under the aegis of Ransomware 2.0.\r\nHow to protect yourself\r\nTo keep your company protected against these types of ransomware attacks, Kaspersky experts recommend:\r\n1. 1 Do not expose remote desktop services (such as RDP) to public networks unless absolutely necessary and\r\nalways use strong passwords for them.\r\n2. 2 Promptly install available patches for commercial VPN solutions providing access for remote employees\r\nand acting as gateways in your network.\r\nhttps://securelist.com/targeted-ransomware-encrypting-data/99255/\r\nPage 12 of 13\n\n3. 3 Always keep software updated on all the devices you use to prevent ransomware from exploiting\r\nvulnerabilities\r\n4. 4 Focus your defense strategy in detecting lateral movements and data exfiltration to the Internet. Pay a\r\nspecial attention to the outgoing traffic to detect cybercriminals connections. Back up data regularly. Make\r\nsure you can quickly access it in an emergency when needed.\r\n5. 5 Use solutions like Kaspersky Endpoint Detection and Response and Kaspersky Managed Detection and\r\nResponse service which help to identify and stop the attack on early stages, before attackers reach their\r\nfinal goals.\r\n6. 6 To protect the corporate environment, educate your employees. Dedicated training courses can help, such\r\nas the ones provided in the Kaspersky Automated Security Awareness Platform. A free lesson on how to\r\nprotect from ransomware attacks is available here.\r\n7. 7 Use reliable endpoint security solution, such as Kaspersky Endpoint Security for Business that is\r\npowered by exploit prevention, behavior detection and a remediation engine that is able to roll back\r\nmalicious actions. KESB also has self-defense mechanisms which can prevent its removal by\r\ncybercriminals.\r\nSource: https://securelist.com/targeted-ransomware-encrypting-data/99255/\r\nhttps://securelist.com/targeted-ransomware-encrypting-data/99255/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securelist.com/targeted-ransomware-encrypting-data/99255/"
	],
	"report_names": [
		"99255"
	],
	"threat_actors": [],
	"ts_created_at": 1775434399,
	"ts_updated_at": 1775826702,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/795c1b440672824996bddc9e5e8c23a819990f70.pdf",
		"text": "https://archive.orkl.eu/795c1b440672824996bddc9e5e8c23a819990f70.txt",
		"img": "https://archive.orkl.eu/795c1b440672824996bddc9e5e8c23a819990f70.jpg"
	}
}