{
	"id": "3a1cd49b-6681-4132-9741-471473ae519d",
	"created_at": "2026-04-06T03:37:56.98922Z",
	"updated_at": "2026-04-10T03:21:26.174456Z",
	"deleted_at": null,
	"sha1_hash": "82b64e0345d99f54b5ed27fbedfc0392ca2611ff",
	"title": "THREAT ANALYSIS REPORT: Ragnar Locker Ransomware Targeting the Energy Sector",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5152722,
	"plain_text": "THREAT ANALYSIS REPORT: Ragnar Locker Ransomware Targeting\r\nthe Energy Sector\r\nBy Cybereason Global SOC Team\r\nArchived: 2026-04-06 02:58:45 UTC\r\nThe Cybereason Global Security Operations Center (GSOC) Team issues Threat Analysis Reports to inform on impacting\r\nthreats. The Threat Analysis Reports investigate these threats and provide practical recommendations for protecting against\r\nthem.\r\nIn this Threat Analysis Report, the Cybereason GSOC investigates the Ragnar Locker malware family, a ransomware and a\r\nransomware operator which has recently claimed to have breached DESFA, a Greek pipeline company. \r\nThis report provides context over this recent breach as well as an overview of the Ragnar Locker ransomware through a\r\ndynamic analysis and a reverse engineering analysis. \r\nKey Findings\r\nBreach of a Pipeline Company : DESFA is a strategic energy-related company that has been claimed by Ragnar\r\nLocker as their victim.\r\nSecurity Evasion Capabilities : Ragnar Locker checks if specific products are installed, especially security products\r\n(antivirus), virtual-based software, backup solutions and IT remote management solutions.\r\nRansomware Actors Targeting the Energy Sector : This is the second important pipeline company that has been\r\nhit by ransomware, along with Colonial Pipeline. Furthermore, four energy companies have been hit recently by\r\nransomware, including three in Europe.\r\nActive for Three Years : Ragnar Locker is both a ransomware group and the name of the software in use. They have\r\nbeen running since 2019 and targeting critical industries. They use the double extortion scheme.\r\nExcluding the Commonwealth of Independent States : Ragnar Locker avoids being executed from countries since\r\nthe group is located in the Commonwealth of Independent States (CIS). \r\nThe Cybereason Defense Platform can effectively detect and prevent Ragnar Locker ransomware:\r\nCybereason Defense Platform Detects and Blocks Ragnar Locker Ransomware\r\nIntroduction\r\nThe Cybereason GSOC is investigating the Ragnar Locker ransomware following a recent breach that was reported by\r\nRagnar Locker, on a Greek pipeline company named DESFA:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-ragnar-locker-ransomware-targeting-the-energy-sector\r\nPage 1 of 21\n\nRagnar TOR page claiming they breached DESFA\r\nThis is not the first occurrence of ransomware attacks on pipeline companies: Colonial Pipeline was breached in March\r\n2021, and this event still haunts industrial companies due to the impact it had on production. \r\nAdditionally, this is one of the four energy providers that were hit by ransomware recently, including other ones in Europe: \r\nHive ransomware posted ENN Group from China on their portal. ENN Group is an energy and natural gas producer\r\nBlackCat ransomware hit Creos / Encevo, an energy company from Luxembourg \r\nSouth Staffordshire PLC announced being hit on the 15/08/2022, claimed by the CL0P ransomware gang\r\nFinally, Greece has an extremely strategic place for energy since gas from other places (Israel, for instance) flows to Europe.\r\nRagnar Locker is ransomware that has been in use since at least December 2019, and is generally aimed at English-speaking\r\nusers. The Ragnar Locker ransomware has been on the FBI’s radar since the gang breached more than fifty organizations\r\nhttps://www.cybereason.com/blog/threat-analysis-report-ragnar-locker-ransomware-targeting-the-energy-sector\r\nPage 2 of 21\n\nacross ten critical infrastructure sectors. \r\nRagnar Locker matches both the name of the ransomware group and the name of the ransomware binary. In this Threat\r\nAnalysis Report, we detail the mechanisms driving Ragnar Locker through dynamic and static analysis of two samples. \r\nTechnical Analysis\r\nThe corresponding samples of Ragnar Locker that we analyzed differentiate themselves from the other ransomwares by their\r\nsize (from 53KB to 100KB):\r\nRagnar Locker Execution Flow\r\nIn the following sections, we first analyze Ragnar Locker dynamically through the Cybereason Defense Platform. Next, we\r\nanalyze Ragnar Locker more deeply, through static analysis.\r\nAnalysis with the Cybereason Defense Platform\r\nIn this section, we analyzed the sample used in the attack through our Cybereason Defense Platform.\r\nRansomware Detonation\r\nWe start this analysis by detonating one sample into a constrained laboratory live environment equipped with a Cybereason\r\nsensor:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-ragnar-locker-ransomware-targeting-the-energy-sector\r\nPage 3 of 21\n\nCybereason Defense Platform process tree view\r\nAs a result of the execution, we can observe a MalOp is created with the Ransomware detection type: \r\nMalOp created following the launch of Ragnar Locker\r\nFurther analysis of the behaviors associated with this detonation, we observe the launch of three additional processes,\r\nchronologically: \r\nChronologically ordered (more recent at the top) processes resulting from Ragnar Locker execution\r\nRagnar Locker spawns the following children process:\r\nwmic.exe shadowcopy delete: This system command deletes all shadow copies on the victim’s system, preventing\r\ndata recovery by the victim\r\nvssadmin delete shadows /all /quiet: This system command also deletes shadow copies, preventing data recovery by\r\nthe victim\r\nnotepad.exe [User path]\\RGNR_AABBCCDD.txt : This command launches Notepad.exe to show the ransom note to\r\nthe victim\r\nMITRE ATT\u0026CK lists both shadow copy deletion techniques: \r\nhttps://attack.mitre.org/techniques/T1490/\r\nLooking at the “Ragnar Locker.exe” process, we observe that it contains 1081 file events, related to the encrypted files, and\r\ntheir new path, for instance: \r\nc:\\users\\localadmin\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\devicesearchcache\\appcache133057346751796032\r\nNew path after rename event\r\n“Ragnar Locker.exe” process properties, as seen in the Cybereason Defense Platform\r\nhttps://www.cybereason.com/blog/threat-analysis-report-ragnar-locker-ransomware-targeting-the-energy-sector\r\nPage 4 of 21\n\nAdditional Sysmon telemetry was set up on the machine, resulting in observing the modification of strategic directories, due\r\nto the ransom note creation: \r\nExtract from Sysmon event logs\r\nWe did not observe any network connection following the ransomware execution, nor registry value manipulation.\r\nRansomware Note \r\nA few seconds following the ransomware execution , as seen from the process tree, Ragnar Locker drops a ransomware note\r\nconfigured with the name of the victim, named “RGNR_AABBCCDD.txt”, and opens a Notepad with this file: \r\nhttps://www.cybereason.com/blog/threat-analysis-report-ragnar-locker-ransomware-targeting-the-energy-sector\r\nPage 5 of 21\n\nRansomware Note as seen by the victim\r\nRagnar Locker Sample Reverse Engineering \r\nIn this section, we analyzed the sample used in the attack, this time through static analysis and advanced dynamic analysis,\r\nallowing us to dig deeper into this binary’s goal and mechanisms.\r\nChecking System Location\r\nThe first activity Ragnar Locker perform is to check if the infected machine’s locale matches with one of the following\r\ncountries:\r\nAzerbaijan\r\nArmenia\r\nBelarus\r\nKazakhstan\r\nKyrgyzstan\r\nMoldova\r\nTajikistan\r\nRussia\r\nTurkmenistan\r\nUzbekistan\r\nUkraine\r\nGeorgia\r\nIf this matches, Ragnar Locker does not execute and the process is terminated. This list matches with the countries found in\r\nthe Commonwealth of Independent States CIS:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-ragnar-locker-ransomware-targeting-the-energy-sector\r\nPage 6 of 21\n\nRagnar Locker check countries locale value through GetLocaleInfoW\r\nCollecting Host Information \r\nNext, the ransomware extracts information about the infected machine. First, it collects the computer name and the user\r\nname using the API calls GetComputerNameW and GetUserNameW. \r\nThen, the ransomware queries the registry to collect the machine GUID and Windows version:\r\nCollecting info on the host\r\nThis collected information is concatenated and goes through a custom hashing function, in order to conceal the data:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-ragnar-locker-ransomware-targeting-the-energy-sector\r\nPage 7 of 21\n\nRagnar Locker custom hashing algorithm\r\nRagnar Locker then creates a new event using the CreateEventW API call, and uses the combined hashes as the name of the\r\nevent:\r\nCreating event with combined hashes (static view)\r\nWhen running the sample through a debugger, the combined hashes look as following:\r\nCreating event with combined hashes (dynamic view)\r\nFile Volumes Identification\r\nNext, Ragnar Locker attempts to identify the existing file volumes on the host. It uses the Windows APICreateFileW to:\r\nGet a handle to a physical drive\r\nQuery the drive using DeviceIoControl\r\nIterate through the volumes using FindFirstVolumeA and FindNextVolumeA\r\nhttps://www.cybereason.com/blog/threat-analysis-report-ragnar-locker-ransomware-targeting-the-energy-sector\r\nPage 8 of 21\n\nIterating through machine volumes\r\nEmbedded RC4 Content\r\nRagnar Locker contains hidden content embedded in the binary sections. Ragnar Locker decrypts this content during\r\nruntime using the RC4 cryptographic algorithm:\r\nCustom RC4 algorithm\r\nThe custom RC4 algorithm function is executed several times and decrypts a list of services names: \r\nhttps://www.cybereason.com/blog/threat-analysis-report-ragnar-locker-ransomware-targeting-the-energy-sector\r\nPage 9 of 21\n\nvss, sql, memtas, mepocs, sophos, veeam, backup, pulseway, logme, logmein, connectwise, splashtop, kaseya,\r\nvmcompute, Hyper-v, vmms, Dfs.\r\nDecrypted RC4\r\nservices names\r\nThen, Ragnar Locker iterates through the running services of the infected machines. If one of the decrypted services is\r\nfound, Ragnar Locker terminates it:\r\nEnumerating the machine’s services\r\nChecking if the\r\ntargeted service exist\r\nRagnar Locker then decrypts an embedded RSA public key:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-ragnar-locker-ransomware-targeting-the-energy-sector\r\nPage 10 of 21\n\nDecrypted RSA\r\npublic key\r\nAfter decrypting the public key, Ragnar Locker passes the key to another function that prepares the key for further use:\r\nPreparing the key for encryption\r\nLastly, Ragnar Locker decrypts the ransom note’s content:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-ragnar-locker-ransomware-targeting-the-energy-sector\r\nPage 11 of 21\n\nDecrypted\r\nransom note through the RC4 routine\r\nDeleting Shadow Copies\r\nIn order to delete the machine’s shadow copies, Ragnar Locker executes the processes vssadmin.exe and Wmic.exe with the\r\nfollowing command lines:\r\nVssadmin delete shadows /all /quiet\r\nWmic.exe shadowcopy delete\r\nhttps://www.cybereason.com/blog/threat-analysis-report-ragnar-locker-ransomware-targeting-the-energy-sector\r\nPage 12 of 21\n\nDeleting shadow copies using Wmic and Vssadmin\r\nCreating the Ransom Note\r\nRagnar Locker generates the ransom note file name through the following algorithm:\r\nIt gets the computer name using the API call GetComputerNameW\r\nIt hashes the computer name using the custom hashing algorithm mentioned above\r\nIt concatenates the strings “\\\\“, “RGNGR_”, “.txt” with the hashed computer name\r\nIt completes the full name by concatenating the path “C:\\Users\\Public\\Documents”, resulting in\r\n“C:\\Users\\Public\\Documents\\RNGR_[hash].txt”\r\nPreparing the txt file that holds the ransom note\r\nEventually, Ragnar Locker calls CreateFileW to create the requested text file with the required path. Ragnar Locker then\r\nwrites a decrypted ransom note at this path.\r\nIn addition, after writing the note, Ragnar Locker writes another smaller part starting with “---RAGNAR SECRET—-”. This\r\npart is the output of the API call CryptBinaryToStringA:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-ragnar-locker-ransomware-targeting-the-energy-sector\r\nPage 13 of 21\n\nCreating the txt file that holds the ransom note\r\nRagnar secret example output\r\nEncrypting the Files\r\nAfter creating the ransom note, the actual file encryption process ignites. First, Ragnar Locker gets the drives (except\r\nDRIVE_CDROM) and directories, and sends the string of the file to be encrypted to an encryption function.\r\nThe encryption function first checks for some files to be excluded from the encryption process, those files are:\r\nAutoruns.inf, boot.ini, bootfront.bin, bootsect.bak, bootmgr, bootmgr.efi, bootmgfw.efi, desktop.ini, iconcache.db,\r\nntldr, ntuser.dat, ntuser.dat.log, ntuser.ini, thumbs.db\r\nList of excluded files\r\nIn addition, other specific processes and objects are excluded, such as: \r\nWindows.old, Tor Browser, Internet Explorer, Google, Opera, Opera Software, Mozilla, Mozilla Firefox,\r\n$Recycle.bin, ProgramData, All Users\r\nhttps://www.cybereason.com/blog/threat-analysis-report-ragnar-locker-ransomware-targeting-the-energy-sector\r\nPage 14 of 21\n\nFiles and\r\nprocesses to exclude\r\nLastly, the last checks of Ragnar Locker excludes files with the following extension: \r\n.db, .sys, .dll, lnk, .msi, .drv, .exe\r\nFile extensions to\r\nexclude\r\nOnce the file meets the criteria, the file name is sent to a function that encrypts the corresponding file using the Salsa20\r\nalgorithm. After each encryption, Ragnar Locker appends the suffix “.ragnar_[hashed computer name]” to the affected file:\r\nFiles manipulated by encryption\r\nDisplaying the Ransom Note\r\nFollowing the machine encryption, Ragnar Locker creates a notepad.exe process that presents the ransom note to the user’s\r\nscreen with the ransom and payment information.\r\nRagnar Locker spawns this process through the following way:\r\nGetting a handle to the current process token\r\nhttps://www.cybereason.com/blog/threat-analysis-report-ragnar-locker-ransomware-targeting-the-energy-sector\r\nPage 15 of 21\n\nDuplicate the token\r\nSetting the token to elevate privileges \r\nUse CreateProcessAsUserW with the elevated token\r\nCreating notepad process to display ransom note\r\nDisplayed ransom note\r\nDetection and Prevention\r\nCybereason Defense Platform\r\nThe Cybereason Defense Platform is able to detect and prevent infections with Ragnar Locker ransomware, using multi-layer protection that detects and blocks malware with threat intelligence, machine learning, anti-ransomware and Next-Gen\r\nAntivirus (NGAV) capabilities:\r\nThe Cybereason Defense Platform creates a MalOp and labels it as Ransomware behavior\r\nhttps://www.cybereason.com/blog/threat-analysis-report-ragnar-locker-ransomware-targeting-the-energy-sector\r\nPage 16 of 21\n\nThe Cybereason Defense Platform suspends Ragnar Locker when Anti-Ransomware feature is set to “Suspend” as seen from\r\nthe Cybereason Defense Platform \r\nCybereason GSOC MDR\r\nThe Cybereason GSOC recommends the following:\r\nEnable Anti-Ransomware in your environment’s policies, set the Anti-Ransomware mode to Prevent, and enable\r\nShadow Copy detection to ensure maximum protection against ransomware.\r\nIn the Cybereason Defense Platform, enable Application Control to block the execution of malicious files.\r\nTo hunt proactively, use the Investigation screen in the Cybereason Defense Platform and the queries in the Hunting\r\nQueries section to search for machines that are potentially infected with Ragnar Locker. Based on the search results,\r\ntake further remediation actions, such as isolating the infected machines and deleting the payload file.\r\nCybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere.\r\nSchedule a demo today to learn how your organization can benefit from an operation-centric approach to security.\r\nMITRE ATT\u0026CK Mapping\r\nTactic Technique or Sub-technique\r\nTA0005: Defense Evasion T1562.001: Impair Defenses: Disable or Modify Tools\r\nTA0007: Discovery T1033: System Owner/User Discovery\r\nTA0007: Discovery T1057: Process Discovery\r\nTA0007: Discovery T1082: System Information Discovery\r\nTA0007: Discovery T1614: System Location Discovery\r\nTA0040: Impact T1486: Data Encrypted for Impact\r\nTA0040: Impact T1489: Service Stop\r\nTA0040: Impact T1490: Inhibit System Recovery\r\nIOCs\r\nIndicators\r\nIndicator\r\ntype\r\nDescription\r\nhttps://www.cybereason.com/blog/threat-analysis-report-ragnar-locker-ransomware-targeting-the-energy-sector\r\nPage 17 of 21\n\n041fd213326dd5c10a16caf88ff076bb98c68c052284430fba5f601023d39a14 SHA256\r\nRagnar Locker\r\nBinary\r\n04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87 SHA256\r\nRagnar Locker\r\nBinary\r\n0766beb30c575fc68d1ca134bd53c086d2ce63b040e4d0bbd6d89d8c26ca04f6 SHA256\r\nRagnar Locker\r\nBinary\r\n0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36 SHA256\r\nRagnar Locker\r\nBinary\r\n10f9ad4e9f6e0dc1793be80203b258f8c5114d01cb17307c1b2fdcca37d4edf9 SHA256\r\nRagnar Locker\r\nBinary\r\n1318f8a4566a50537f579d24fd1aabcf7e22e89bc75ffd13b3088fc6e80e9a2a SHA256\r\nRagnar Locker\r\nBinary\r\n1472f5f559f90988f886d515f6d6c52e5d30283141ee2f13f92f7e1f7e6b8e9e SHA256\r\nRagnar Locker\r\nBinary\r\n1602d04000a8c7221ed0d97d79f3157303e209d4640d31b8566dd52c2b09d033 SHA256\r\nRagnar Locker\r\nBinary\r\n30dcc7a8ae98e52ee5547379048ca1fc90925e09a2a81c055021ba225c1d064c SHA256\r\nRagnar Locker\r\nBinary\r\n3b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804 SHA256\r\nRagnar Locker\r\nBinary\r\n3bc8ce79ee7043c9ad70698e3fc2013806244dc5112c8c8d465e96757b57b1e1 SHA256\r\nRagnar Locker\r\nBinary\r\n5469182495d92a5718e0e1dcdf371e92b79724e427050154f318de693d341c89 SHA256\r\nRagnar Locker\r\nBinary\r\n5fc6f4cfb0d11e99c439a13b6c247ec3202a9a343df63576ce9f31cffcdbaf76 SHA256\r\nRagnar Locker\r\nBinary\r\n60233700ee64b9e5d054fa551688e8617328b194534a0fe645411685ce467128 SHA256\r\nRagnar Locker\r\nBinary\r\n63096f288f49b25d50f4aea52dc1fc00871b3927fa2a81fa0b0d752b261a3059 SHA256\r\nRagnar Locker\r\nBinary\r\n68eb2d2d7866775d6bf106a914281491d23769a9eda88fc078328150b8432bb3 SHA256\r\nRagnar Locker\r\nBinary\r\nhttps://www.cybereason.com/blog/threat-analysis-report-ragnar-locker-ransomware-targeting-the-energy-sector\r\nPage 18 of 21\n\n6fd4ec6611bf7e691be80483bcf860e827d513df45e20d78f29cf4638b6c20e8 SHA256\r\nRagnar Locker\r\nBinary\r\n7af61ce420051640c50b0e73e718dd8c55dddfcb58917a3bead9d3ece2f3e929 SHA256\r\nRagnar Locker\r\nBinary\r\n91128776769d4f78dd177695df610463a0b05e2174ba76d0489b976b99cae223 SHA256\r\nRagnar Locker\r\nBinary\r\n9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151 SHA256\r\nRagnar Locker\r\nBinary\r\n9706a97ffa43a0258571def8912dc2b8bf1ee207676052ad1b9c16ca9953fc2c SHA256\r\nRagnar Locker\r\nBinary\r\n9b62cdb57f4c34924333dfa3baefd993efeab68109580b682b074f0e73b63983 SHA256\r\nRagnar Locker\r\nBinary\r\n9bdd7f965d1c67396afb0a84c78b4d12118ff377db7efdca4a1340933120f376 SHA256\r\nRagnar Locker\r\nBinary\r\na8ee0fafbd7b84417c0fb31709b2d9c25b2b8a16381b36756ca94609e2a6fcf6 SHA256\r\nRagnar Locker\r\nBinary\r\nac16f3e23516cf6b22830c399b4aba9706d37adceb5eb8ea9960f71f1425df79 SHA256\r\nRagnar Locker\r\nBinary\r\nafab912c41c920c867f1b2ada34114b22dcc9c5f3666edbfc4e9936c29a17a68 SHA256\r\nRagnar Locker\r\nBinary\r\nb0d8f9aa9566245362d7e7443ab4add80ce90fbdf35a30df9a89e9dae5f22190 SHA256\r\nRagnar Locker\r\nBinary\r\nb6663af099538a396775273d79cb6fff99a18e2de2a8a2a106de8212cc44f3e2 SHA256\r\nRagnar Locker\r\nBinary\r\nb670441066ff868d06c682e5167b9dbc85b5323f3acfbbc044cabc0e5a594186 SHA256\r\nRagnar Locker\r\nBinary\r\nb72beb391c75af52c6fb62561f26214b682f12d95660b128d9e21e18e3bff246 SHA256\r\nRagnar Locker\r\nBinary\r\nc2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6 SHA256\r\nRagnar Locker\r\nBinary\r\nce33096639fb5c51684e9e3a7c7c7161884ecad29e8d6ad602fd8be42076b8d4 SHA256\r\nRagnar Locker\r\nBinary\r\nhttps://www.cybereason.com/blog/threat-analysis-report-ragnar-locker-ransomware-targeting-the-energy-sector\r\nPage 19 of 21\n\ncf5ec678a2f836f859eb983eb633d529c25771b3b7505e74aa695b7ca00f9fa8 SHA256\r\nRagnar Locker\r\nBinary\r\ndd5d4cf9422b6e4514d49a3ec542cffb682be8a24079010cda689afbb44ac0f4 SHA256\r\nRagnar Locker\r\nBinary\r\nec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597 SHA256\r\nRagnar Locker\r\nBinary\r\nAbout the Researchers\r\nEli Salem, Principal Security Analyst, Cybereason Global SOC\r\nEli is a lead threat hunter and malware reverse engineer at Cybereason. He has worked in the private sector of the cyber\r\nsecurity industry since 2017. In his free time, he publishes articles about malware research and threat hunting. \r\nLoïc Castel, Principal Security Analyst, Cybereason Global SOC\r\nLoïc is a Principal Security Analyst with the Cybereason Global SOC team. Loïc analyses and researches critical incidents\r\nand cybercriminals, in order to better detect compromises. In his career, Loïc worked as a security auditor in well-known\r\norganizations such as ANSSI (French National Agency for the Security of Information Systems) and as Lead Digital\r\nForensics \u0026 Incident Response at Atos. Loïc loves digital forensics and incident response, but is also interested in offensive\r\naspects such as vulnerability research.\r\nAbout the Author\r\nhttps://www.cybereason.com/blog/threat-analysis-report-ragnar-locker-ransomware-targeting-the-energy-sector\r\nPage 20 of 21\n\nCybereason Global SOC Team\r\nThe Cybereason Global SOC Team delivers 24/7 Managed Detection and Response services to customers on every\r\ncontinent. Led by cybersecurity experts with experience working for government, the military and multiple industry\r\nverticals, the Cybereason Global SOC Team continuously hunts for the most sophisticated and pervasive threats to support\r\nour mission to end cyberattacks on the endpoint, across the enterprise, and everywhere the battle moves.\r\nAll Posts by Cybereason Global SOC Team\r\nSource: https://www.cybereason.com/blog/threat-analysis-report-ragnar-locker-ransomware-targeting-the-energy-sector\r\nhttps://www.cybereason.com/blog/threat-analysis-report-ragnar-locker-ransomware-targeting-the-energy-sector\r\nPage 21 of 21",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.cybereason.com/blog/threat-analysis-report-ragnar-locker-ransomware-targeting-the-energy-sector"
	],
	"report_names": [
		"threat-analysis-report-ragnar-locker-ransomware-targeting-the-energy-sector"
	],
	"threat_actors": [],
	"ts_created_at": 1775446676,
	"ts_updated_at": 1775791286,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/82b64e0345d99f54b5ed27fbedfc0392ca2611ff.pdf",
		"text": "https://archive.orkl.eu/82b64e0345d99f54b5ed27fbedfc0392ca2611ff.txt",
		"img": "https://archive.orkl.eu/82b64e0345d99f54b5ed27fbedfc0392ca2611ff.jpg"
	}
}