{
	"id": "6f418212-8633-4d97-9993-746176ec86fe",
	"created_at": "2026-04-06T03:36:27.309688Z",
	"updated_at": "2026-04-10T03:21:34.652061Z",
	"deleted_at": null,
	"sha1_hash": "ca2bd7bcd37819be307461b60362fd3a4b00ba9e",
	"title": "Cynet Detection Report: Ragnar Locker Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 547123,
	"plain_text": "Cynet Detection Report: Ragnar Locker Ransomware\r\nArchived: 2026-04-06 03:21:29 UTC\r\nWritten by: Ben Gold\r\nEXECUTIVE SUMMARY\r\nAttackers first began using the Ragnar Locker ransomware towards the end of December 2019 as a way to attack\r\ncompromised networks. Ragnar Locker is a ransomware that runs on Microsoft Windows. It specifically targets\r\nsoftware commonly used by managed service providers to prevent their attack from being detected and stopped. It\r\nis aimed at English-speaking users.\r\nWhen the attackers first compromise a network, they will perform reconnaissance and pre-deployment tasks\r\nbefore executing the ransomware.\r\nCYNET DETECTION\r\nCynet protects your environment against this type of attack. This type of attack is detected by Cynet alerting you\r\nto the malicious activities, using the following mechanisms.\r\nNote that some of the actions are set to alert only, to not interrupt the ransomware’s flow, allowing Cynet to detect\r\nevery step of Ragnar Locker Ransomware attack flow.\r\nMALICIOUS BINARY\r\nFast Scan engine – This alert triggers when Cynet detects a file hash (SSDEEP) which is similar to a file\r\nhash that is flagged in our threat intelligence database as malicious. The idea behind this alert is to detect\r\nnew variants of known malware.\r\nhttps://www.cynet.com/blog/cynet-detection-report-ragnar-locker-ransomware/\r\nPage 1 of 5\n\nMEMORY PATTERN\r\nDefault Configuration – This alert is triggered when Cynet detects memory strings which are associated\r\nwith malware or with malicious files.\r\nRANSOMWARE HEURISTIC\r\nADT – Advanced Detection Technology – This alert triggers when Cynet detects suspicious behavior\r\nwhich can be associated with Ransomware (such as changing file extensions to “.Lock”).\r\nhttps://www.cynet.com/blog/cynet-detection-report-ragnar-locker-ransomware/\r\nPage 2 of 5\n\nMALICIOUS PROCESS COMMAND\r\nADT – Advanced Detection Technology – This alert triggers when Cynet detects a CMD process which\r\nexecutes a command that contains suspicious arguments or is associated with malicious patterns.\r\n“VSSADMIN delete shadow /all” is an approach of ransomware in order to delete the shadow copies.\r\nShadow Copy is a technology included in Microsoft Windows that can create backup copies or snapshots\r\nof computer files or volumes, even when they are in use. It is implemented as a Windows service called the\r\nVolume Shadow Copy service.\r\nINVESTIGATION OVERVIEW\r\nAfter execution, Ragnar Locker Ransomware encrypts the files and adds the extension “.ragnar” and an 8 digit\r\nnumber:\r\nWhen encrypting files, it will skip files in the following folders, file names, and extensions:\r\nkernel32.dll\r\nWindows\r\nWindows.old\r\nTor browser\r\nInternet Explorer\r\nGoogle\r\nProgramData\r\nAll Users\r\nautorun.inf\r\nboot.ini\r\nbootfont.bin\r\nbootsect.bak\r\nntldr\r\nntuser.dat\r\nntuser.dat.log\r\nntuser.ini\r\nthumbs.db\r\n.sys\r\nhttps://www.cynet.com/blog/cynet-detection-report-ragnar-locker-ransomware/\r\nPage 3 of 5\n\nOpera\r\nOpera Software\r\nMozilla\r\nMozilla Firefox\r\n$Recycle.Bin\r\nbootmgr\r\nbootmgr.efi\r\nbootmgfw.efi\r\ndesktop.ini\r\niconcache.db\r\n.dll\r\n.lnk\r\n.msi\r\n.drv\r\n.exe\r\nOnce a computer’s files have been encrypted and renamed, it creates a ransom note at several directories – the\r\nransom notes are named RGNR_25A5382C.txt.\r\nThe note itself contains an email address to contact the cybercriminals who will provide a decryption tool once the\r\nvictim sends them the Base64 code which also contains details of the infected host.\r\nhttps://www.cynet.com/blog/cynet-detection-report-ragnar-locker-ransomware/\r\nPage 4 of 5\n\nRECOMMENDATIONS\r\nUse Cynet built-in remediation to isolate the host from the network.\r\nDelete all malicious payload associated with the Ransomware (rangar.exe).\r\nUse Cynet built-in remediation to prevent the malicious payload from running.\r\nUse Cynet Forensics to investigate the root-cause of this incident.\r\nContact Cynet CyOps (Cynet Security Operations Center)\r\nThe Cynet CyOps team is available to clients 24/7 for assistance with any issues, questions, or comments related\r\nto Cynet 360. For additional information, you may contact us directly at:\r\nPhone (US):  +1-347-474-0048\r\nPhone (EU):  +44-203-290-9051\r\nPhone (IL):    +972-72-336-9736\r\nCyOps Email: soc@cynet.com\r\nSource: https://www.cynet.com/blog/cynet-detection-report-ragnar-locker-ransomware/\r\nhttps://www.cynet.com/blog/cynet-detection-report-ragnar-locker-ransomware/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.cynet.com/blog/cynet-detection-report-ragnar-locker-ransomware/"
	],
	"report_names": [
		"cynet-detection-report-ragnar-locker-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775446587,
	"ts_updated_at": 1775791294,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ca2bd7bcd37819be307461b60362fd3a4b00ba9e.pdf",
		"text": "https://archive.orkl.eu/ca2bd7bcd37819be307461b60362fd3a4b00ba9e.txt",
		"img": "https://archive.orkl.eu/ca2bd7bcd37819be307461b60362fd3a4b00ba9e.jpg"
	}
}