{ "id": "00117a41-c7e7-4811-8231-5541377255ed", "created_at": "2026-04-06T00:21:21.852149Z", "updated_at": "2026-04-10T03:20:38.350278Z", "deleted_at": null, "sha1_hash": "ef3077e9cd23c5c02641cfbb7cc8f89e72be49da", "title": "Ragnar Locker Ransomware: Unlocked by Deep Instinct", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 262408, "plain_text": "Ragnar Locker Ransomware: Unlocked by Deep Instinct\r\nBy Deep Instinct Threat Lab\r\nPublished: 2020-04-27 · Archived: 2026-04-05 22:40:27 UTC\r\nOn April 14th the news broke that, Portuguese multinational energy giant Energias de Portugal (EDP) was hit by\r\nransomware attacking the network of the company’s 11,500 employees. The attack was by Ragnar Locker\r\nransomware, which upon encrypting the systems demanded a 1,580 Bitcoin ransom fee, the equivalent to around\r\n$11 million. In their ransom note, the attackers claim to have stolen 10TB of sensitive company files which will be\r\nleaked if the ransom isn’t paid. According to security analysts, the methodology of the attack and the ransom\r\ndemand both indicate the attack was well thought out with the attacker fully aware of its victim’s financial\r\ncapabilities.\r\nRagnar Locker is often delivered through MSPs tools such as ConnectWise, from which the attackers drop a\r\nhighly targeted ransomware executable. This is a technique that has been used by other highly malicious\r\nransomware campaigns, most notably, Sodinokibi. In this type of attack, the operators of the ransomware initially\r\ninfiltrate organizations through unsecured or badly secured RDP connections and then used both tools to push\r\nPowershell scripts to all accessible endpoints. The scripts then downloaded a payload from Pastebin, which\r\nexecutes the ransomware and encrypts the endpoints. In some cases, the payload is an executable file that is\r\nexecuted as part of a file-based attack, in other cases additional scripts were downloaded, as part of a completely\r\nfile-less attack.\r\nRagnar Locker is specifically targeting software commonly used by managed service providers, Below, is the list\r\nof targeted strings:\r\nvss\r\nsql\r\nmemtas\r\nmepocs\r\nsophos\r\nveeam\r\nbackup\r\npulseway\r\nlogme\r\nlogmein\r\nconnectwise\r\nsplashtop\r\nkaseya\r\nAttackers first steal a victim's files and upload it to their servers. They then tell the victim that they will only\r\nrelease the files publicly if a ransom is not paid, in a tactic that has recently been dubbed - the ‘Name \u0026 Shame\r\nGame’.\r\nhttps://www.deepinstinct.com/2020/04/27/ragnar-locker-ransomware-unlocked-by-deep-instinct/\r\nPage 1 of 3\n\nRagnar Locker ransomware undermines the MSP’s security tools (as mentioned above, before the tools can block\r\nit from executing) and once inside, commences the encryption process. It contains a specific extension to use for\r\nencrypted files, an embedded RSA-2048 key.\r\nThe ransomware appends a new file extension, such as ‘.ragnar_22015ABC’ to the file's name. The 'RAGNAR'\r\nfile marker will also be added to the end of every encrypted file.\r\nRagnar Locker will drop a ransom note named ‘.RGNR_[extension].txt.’ The ransom note contains information on\r\nthe ransom amount, a bitcoin payment address, a TOX chat ID to communicate with the cybercriminals, and a\r\nbackup email address if TOX does not work. In each case, the ransom amount is calculated individually.\r\nAmongst our customer environments, Deep Instinct found seven samples of this ransomware, and all were\r\nprevented statically with Deep Instinct’s current model in production. The previous model which was trained in\r\nQ3 of 2019 was also able to successfully detect and prevent the ransomware. This is a considerable feat\r\nconsidering that RagnarLocker went undetected by most other engines when it was first spotted in the wild. In the\r\ndays following detection rates by other engines gradually improved.\r\nhttps://www.deepinstinct.com/2020/04/27/ragnar-locker-ransomware-unlocked-by-deep-instinct/\r\nPage 2 of 3\n\nNot only could Deep Instinct prevent Ragnar Locker statically prior to execution, our solution was also able to\r\nlabel it as a ransomware attack. This classification was achievable due to our product’s enhanced\r\nThe implication of this is that without ever having been trained to identify this specific form of ransomware\r\nbefore, both of our engines (the pre-execution and on-execution engines) could prevent this attack the first time\r\nthat it appeared in the wild.\r\nThe IOC hashes associated with the malware:\r\nb670441066ff868d06c682e5167b9dbc85b5323f3acfbbc044cabc0e5a594186\r\n68eb2d2d7866775d6bf106a914281491d23769a9eda88fc078328150b8432bb3\r\n9bdd7f965d1c67396afb0a84c78b4d12118ff377db7efdca4a1340933120f376\r\ndd5d4cf9422b6e4514d49a3ec542cffb682be8a24079010cda689afbb44ac0f4\r\nc2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6\r\n63096f288f49b25d50f4aea52dc1fc00871b3927fa2a81fa0b0d752b261a3059\r\na8ee0fafbd7b84417c0fb31709b2d9c25b2b8a16381b36756ca94609e2a6fcf6\r\n5fc6f4cfb0d11e99c439a13b6c247ec3202a9a343df63576ce9f31cffcdbaf76\r\n1472f5f559f90988f886d515f6d6c52e5d30283141ee2f13f92f7e1f7e6b8e9e\r\nec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597\r\nSource: https://www.deepinstinct.com/2020/04/27/ragnar-locker-ransomware-unlocked-by-deep-instinct/\r\nhttps://www.deepinstinct.com/2020/04/27/ragnar-locker-ransomware-unlocked-by-deep-instinct/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.deepinstinct.com/2020/04/27/ragnar-locker-ransomware-unlocked-by-deep-instinct/" ], "report_names": [ "ragnar-locker-ransomware-unlocked-by-deep-instinct" ], "threat_actors": [], "ts_created_at": 1775434881, "ts_updated_at": 1775791238, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ef3077e9cd23c5c02641cfbb7cc8f89e72be49da.pdf", "text": "https://archive.orkl.eu/ef3077e9cd23c5c02641cfbb7cc8f89e72be49da.txt", "img": "https://archive.orkl.eu/ef3077e9cd23c5c02641cfbb7cc8f89e72be49da.jpg" } }