{
	"id": "de68028d-2466-4907-99e7-26a71b713c32",
	"created_at": "2026-04-06T00:22:25.230532Z",
	"updated_at": "2026-04-10T03:22:02.081926Z",
	"deleted_at": null,
	"sha1_hash": "cd30c98692671bf0691567a62acd754e5ec7f247",
	"title": "Cyble - Deep Dive Into Ragnar_locker Ransomware Gang",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2112633,
	"plain_text": "Cyble - Deep Dive Into Ragnar_locker Ransomware Gang\r\nPublished: 2022-01-20 · Archived: 2026-04-05 12:45:05 UTC\r\nRagnar_locker ransomware targets multiple high-profile Windows platforms using the double extortion technique.\r\nOrganizations worldwide face a multi-pronged threat from Ransomware groups at a greater frequency than recorded\r\nbefore. As the organizations’ primary danger remains losing access to their systems and data, the threat of Ransomware\r\ngroups leaking the data if their ransom requests are not met or the victim reaches out to law enforcement authorities has\r\nbeen raising more concern.\r\nCyble Research Labs has analyzed and published information about the most prominent and active ransomware groups\r\nin the past and provided recommendations to prevent such incidents. This blog is a deep dive into one of the most\r\nactive Ransomware groups, Ragnar_Locker, how they operate, their capabilities, and how to secure yourself/your\r\norganization from them.\r\nRagnar_locker ransomware was first observed in late 2019, targeting multiple high-profile targets on Windows\r\nplatforms. Ragnar_locker also uses the double extortion technique for financial gain like most notorious ransomware\r\ngangs.\r\nWorld's Best AI-Native Threat Intelligence\r\nThis group targets several countries worldwide, as shown in the figure below.\r\nhttps://blog.cyble.com/2022/01/20/deep-dive-into-ragnar-locker-ransomware-gang/\r\nPage 1 of 12\n\nFigure 1 Ragnar_locker Ransomware Victim Details\r\nTechnical Analysis\r\nBased on static analysis, we found that the malicious file is a 32-bit Graphical User Interface (GUI) based binary, as\r\nshown in Figure 2.\r\nFigure 2 Static File Details of Ragnar_locker Ransomware\r\nAfter execution, Ragnar Ransomware initially searches for system details using GetLocalInfoW() API, which extracts\r\nthe system’s default language. After identifying the system language, it compares this with a hardcoded list of\r\nlanguages present in the Ransomware binary, as shown in the figure below.\r\nhttps://blog.cyble.com/2022/01/20/deep-dive-into-ragnar-locker-ransomware-gang/\r\nPage 2 of 12\n\nFigure 3 Ragnar_locker Ransomware Language Check\r\nIf the identified system language is present in the hardcoded list, the Ransomware terminates its execution using\r\ntheTerminateProcess() API.\r\nThe languages hardcoded into the Ransomware are Belorussian, Azerbaijani, Ukrainian, and other languages\r\ncommonly spoken in the former Soviet Union (USSR).\r\nRagar Ransomware then looks for other system information using APIs to retrieve the victim’s system name, username,\r\nGUID, and product name.\r\nFigure 4 Ragnar_locker Ransomware Enumerating System Information\r\nThe Ransomware collects the above system information and calculates its size. This information and size are then fed\r\nto a custom logic to generate a unique hash to create an event in the system using CreateEventW() API, as shown in\r\nFigure 5.\r\nhttps://blog.cyble.com/2022/01/20/deep-dive-into-ragnar-locker-ransomware-gang/\r\nPage 3 of 12\n\nFigure 5 Ragnar_locker Ransomware Creating Event\r\nThis malware then enumerates all the physical drives in the system. Ragnar Ransomware uses CreateFileW() API\r\nfunction to check which physical drives are accessible by the system. The malware then executes a loop that runs\r\nsixteen times to get all the accessible physical drives.\r\nFigure 6 shows the enumeration of \\\\\\\\.\\\\PHYSICALDRIVE.\r\nFigure 6 Ragnar_locker Ransomware Checking for Physical Drives\r\nAfter checking the physical drives, the Ransomware extracts all the system volume names using GetLogicalDrives()\r\nAPI, as shown in the figure below.\r\nhttps://blog.cyble.com/2022/01/20/deep-dive-into-ragnar-locker-ransomware-gang/\r\nPage 4 of 12\n\nFigure 7 Ragnar_locker Ransomware Enumerating Hard Drive Volumes\r\nAfter retrieving the volume names, the Ransomware then calls GetVolumeInformationA() API to get the details of the\r\nvolume.\r\nFigure 8 Retrieves Volume Details\r\nThe malware now prepares the key required to encrypt the files in the latter part of its execution. The malware uses\r\ncryptographic APIs such as CryptAcquireContextW() , CryptGenRandom() and CryptReleaseContext() to generate\r\nrandom keys.\r\nThen, the malware uses a custom decryption logic which decrypts the strings that have information about the name of\r\nthe services. After identifying the names of the services, the Ransomware checks for their presence and terminates\r\nthem if the services are actively running on the victim’s machine. Some of these services include VSS, SQL, Memtas,\r\netc.\r\nTo identify the services running in the machine, the Ransomware first calls OpenSCManagerA() API, which establishes\r\na connection to the service control manager that gives the TA access to the service control manager database.\r\nhttps://blog.cyble.com/2022/01/20/deep-dive-into-ragnar-locker-ransomware-gang/\r\nPage 5 of 12\n\nUpon gaining access to this database, the following APIs() will be called:\r\nOpenServiceA() – Opens the specified service.\r\nQueryServiceStatusEx() – Gets the status of the service.\r\nEnumDependentServiceA() – Retrieves the dependent services.\r\nControlService() – takes control of the service for stopping.\r\nIf OpenSCManagerA() API fails to get the handle to Service Control Manager (SCM), then the Ransomware skips\r\ncalling the above service-related APIs.\r\nThe Ransomware then proceeds to execute CreateProcessW() API to call wmi/vssadmin to delete any shadow copies in\r\nthe system. After this, the Ransomware decrypts the RSA public key, encrypting the randomly generated key, as shown\r\nin Figure 9.\r\nFigure 9  RSA Public Key\r\nThe Ransomware decrypts the ransom notes in the memory, shown to the victims after file encryption on their system.\r\nThen, it gets the device name and creates a unique hash used to generate the ransom note name in the below format.\r\nRGNR_[Unique-hash].txt\r\nIt calls SHGetSpecialFolderPathW () API, gets the path of the Public folder (c:\\user\\public\\Documents), and creates\r\nransom notes in it. The ransom note content is then written using WriteFile() API.\r\nThe Ransomware then searches for files in the Windows directory for encryption using the FindFirstFileW() and\r\nFindNextFileW() APIs.\r\nBefore initiating encryption, the ransomware checks and excludes specific folders from encryption – such as Windows,\r\nTor Browser, Google, Opera.\r\nhttps://blog.cyble.com/2022/01/20/deep-dive-into-ragnar-locker-ransomware-gang/\r\nPage 6 of 12\n\nThe Ransomware also excludes certain files from encryption such as RGNR_[unique_hash].txt, autorun.inf, boot.ini,\r\namongst others.\r\nSpecific extensions are also exempted from encryption – such as .db, .sys, .dll.\r\nThe Ransomware specifically excludes these files, folders, and extensions to ensure that TAs are not damaging any\r\nsystem-critical files. Victims will thus have access to the affected device to pay the ransom after successful encryption.\r\nFinally, the Ransomware encrypts the file using the salsa20 algorithm and displays a ransom note on the victims’\r\nmachine. As shown in the figure below, the encrypted files will have appended extension ragnar_[unique_hash] in the\r\nvictims’ device.\r\nFigure 10 Encrypted Files on the Machine\r\nIn their ransom note below, the TAs have instructed victims to contact them via qTox and have also given an Email ID:\r\ncargowelcome@protonmail[.]com in case the victim cannot contact them through qTox to pay the ransom of 25\r\nBitcoin (BTC) for the decryption key.\r\nFigure 11 Ransom note\r\nOther Observations\r\nhttps://blog.cyble.com/2022/01/20/deep-dive-into-ragnar-locker-ransomware-gang/\r\nPage 7 of 12\n\nCyble Research Labs had found that the TAs leaked their victim’s details on their leak website when victims did not\r\npay the ransom. The following figure showcases the Ragnar_locker’s leak website with recent victims.\r\nFigure 12 Victims Mentioned on Leak Site\r\nAs per their leak site, the Ragnar_locker ransomware group claims to be a team of cyber security enthusiasts working\r\nto make a profit.\r\nThe group alleges that their primary motivation to attack organizations is to help them improve their security measures.\r\nIn addition, they want companies to take responsibility for securely storing the personal data of their clients and\r\npartners.\r\nIn one case, it was observed that the TAs had stolen the data of a victim’s machine and shared the same on their leak\r\nsite. The stolen data claimed by the TAs include name, PAN Number, mobile numbers, GST numbers, etc.\r\nThe victim’s data posted on the TAs leak site is shown in the figure below.\r\nhttps://blog.cyble.com/2022/01/20/deep-dive-into-ragnar-locker-ransomware-gang/\r\nPage 8 of 12\n\nFigure 13 Tax Invoice\r\nhttps://blog.cyble.com/2022/01/20/deep-dive-into-ragnar-locker-ransomware-gang/\r\nPage 9 of 12\n\nFigure 14 Airways Bill\r\nConclusion\r\nThere are likely multiple variants of Ragnar_locker ransomware active in the wild. In addition, TAs keep improving\r\ntheir code with new features to evolve their Ransomware-as-a-Service (RaaS) business model with new Tactics,\r\nTechniques, and Procedures (TTPs) to target devices. Based on these observations, we can safely assume that there\r\nmay be further enhancements in upcoming variants of Ragnar_locker.\r\nWe continuously monitor Ragnar_locker’s extortion campaigns and update our readers with the latest information.\r\nOur Recommendations\r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below:  \r\nSafety measures needed to prevent ransomware attacks\r\nConduct regular backup practices and keep those backups offline or in a separate network.\r\nhttps://blog.cyble.com/2022/01/20/deep-dive-into-ragnar-locker-ransomware-gang/\r\nPage 10 of 12\n\nTurn on the automatic software update feature on your computer, mobile, and other connected devices wherever\r\npossible and pragmatic. \r\nUse a reputed anti-virus and Internet security software package on your connected devices, including PC,\r\nlaptop, and mobile.\r\nRefrain from opening untrusted links and email attachments without verifying their authenticity.\r\nUsers should take the following steps after the ransomware attack\r\nDetach infected devices on the same network.\r\nDisconnect external storage devices if connected.\r\nInspect system logs for suspicious events.\r\nImpacts and cruciality Of Ragnar_locker Ransomware\r\nLoss of Valuable data.\r\nLoss of organization’s reliability or integrity.\r\nLoss of organization’s businesses information.\r\nDisruption in organization operation.\r\nEconomic loss.\r\nMITRE ATT\u0026CK® Techniques\r\nTactic Technique ID Technique Name\r\nInitial Access T1078 – Valid Accounts\r\nExecution T1059 – Command and Scripting Interpreter\r\nPrivilege Escalation\r\nT1548\r\nT1134\r\n– Abuse Elevation Control Mechanism\r\n– Access Token Manipulation\r\nDefense Evasion\r\nT1112\r\nT1027\r\nT1562.001\r\n– Modify Registry\r\n– Obfuscated Files or Information\r\n– Impair Defenses: Disable or Modify Tools\r\nDiscovery\r\nT1082\r\nT1083\r\nT1135\r\n– System Information Discovery\r\n– File and Directory Discovery\r\n– Network Share Discovery\r\nImpact\r\nT1490\r\nT1489\r\nT1486\r\n– Inhibit System Recovery \r\n– Service Stop\r\n– Data Encrypted for Impact\r\nIndicators of Compromise (IOCs)\r\nIndicators\r\nIndicator\r\ntype\r\nDescription\r\nhttps://blog.cyble.com/2022/01/20/deep-dive-into-ragnar-locker-ransomware-gang/\r\nPage 11 of 12\n\nb6663af099538a396775273d79cb6fff99a18e2de2a8a2a106de8212cc44f3e2 SHA256\r\nRagnar_locker\r\nExecutable\r\nac16f3e23516cf6b22830c399b4aba9706d37adceb5eb8ea9960f71f1425df79 SHA256\r\nRagnar_locker\r\nExecutable\r\n68eb2d2d7866775d6bf106a914281491d23769a9eda88fc078328150b8432bb3 SHA256\r\nRagnar_locker\r\nExecutable\r\nb670441066ff868d06c682e5167b9dbc85b5323f3acfbbc044cabc0e5a594186 SHA256\r\nRagnar_locker\r\nExecutable\r\n9bdd7f965d1c67396afb0a84c78b4d12118ff377db7efdca4a1340933120f376 SHA256\r\nRagnar_locker\r\nExecutable\r\ndd5d4cf9422b6e4514d49a3ec542cffb682be8a24079010cda689afbb44ac0f4 SHA256\r\nRagnar_locker\r\nExecutable\r\n63096f288f49b25d50f4aea52dc1fc00871b3927fa2a81fa0b0d752b261a3059 SHA256\r\nRagnar_locker\r\nExecutable\r\na8ee0fafbd7b84417c0fb31709b2d9c25b2b8a16381b36756ca94609e2a6fcf6 SHA256\r\nRagnar_locker\r\nExecutable\r\n5fc6f4cfb0d11e99c439a13b6c247ec3202a9a343df63576ce9f31cffcdbaf76 SHA256\r\nRagnar_locker\r\nExecutable\r\n1472f5f559f90988f886d515f6d6c52e5d30283141ee2f13f92f7e1f7e6b8e9e SHA256\r\nRagnar_locker\r\nExecutable\r\nec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597 SHA256\r\nRagnar_locker\r\nExecutable\r\n68eb2d2d7866775d6bf106a914281491d23769a9eda88fc078328150b8432bb3 SHA256\r\nRagnar_locker\r\nExecutable\r\nSource: https://blog.cyble.com/2022/01/20/deep-dive-into-ragnar-locker-ransomware-gang/\r\nhttps://blog.cyble.com/2022/01/20/deep-dive-into-ragnar-locker-ransomware-gang/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.cyble.com/2022/01/20/deep-dive-into-ragnar-locker-ransomware-gang/"
	],
	"report_names": [
		"deep-dive-into-ragnar-locker-ransomware-gang"
	],
	"threat_actors": [],
	"ts_created_at": 1775434945,
	"ts_updated_at": 1775791322,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cd30c98692671bf0691567a62acd754e5ec7f247.pdf",
		"text": "https://archive.orkl.eu/cd30c98692671bf0691567a62acd754e5ec7f247.txt",
		"img": "https://archive.orkl.eu/cd30c98692671bf0691567a62acd754e5ec7f247.jpg"
	}
}