{
	"id": "f7149f07-ab18-4ffe-bc45-d6e4219331eb",
	"created_at": "2026-04-06T00:07:15.531887Z",
	"updated_at": "2026-04-10T03:20:16.969045Z",
	"deleted_at": null,
	"sha1_hash": "fb74454eb6feb4ae019f654503292a9c3ca25c76",
	"title": "Analysis of Ragnar Locker Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 57401,
	"plain_text": "Analysis of Ragnar Locker Ransomware\r\nBy Acronis\r\nPublished: 2021-06-04 · Archived: 2026-04-05 21:29:28 UTC\r\nAnalysis of Ragnar Locker Ransomware\r\nSummary\r\nFirst discovered in April 2020.\r\nUses the increasingly popular “double extortion” tactic, in which the attacker first exfiltrates sensitive data, then\r\ntriggers the encryption attack, threatening to leak the stolen data if the target refuses to pay the ransom.\r\nHas 10 known victims to date whose data have been published on the data leak site.\r\nUses a specially-crafted virtual machine image for its payload execution in order to evade anti-malware detection.\r\nUses the Salsa20 encryption algorithm (which to strong to decrypt using brute-force methods) for file encryption and\r\nRSA-2048 to encrypt file keys.\r\nUses CVE-2017-0213 vulnerability to elevate privileges via COM objects\r\nDelivery of Ragnar Locker\r\nThe threat actor begin the attack by compromising the company’s network via RDP service, using brute force to guess weak\r\npasswords or with stolen credentials bought on the Dark Web. Next, the attacker performs second-stage reconnaissance. To\r\nelevate privileges, the attacker exploits the CVE-2017-0213 vulnerability in the Windows COM Aggregate Marshaler to run\r\narbitrary code with elevated privileges. Having achieved privilege escalation, the attacker sometimes deploys a VirtualBox\r\nvirtual machine (VM) with a Windows XP image to evade detection: an early use of a virtual machine image in this manner\r\nto run the ransomware encryption attack. The technique has been adopted since by the Maze family of ransomware\r\noperators.\r\nThe specially-crafted VM image is loaded to the VirtualBox VM, mapping all local drives as read/writable into the virtual\r\nmachine. This allows the ransomware process running inside the VM to encrypt all files. To the host files, the encryption\r\nappears to be a trusted VirtualBox process and thus will be ignored by many security products.\r\nNext, the Ragnar Locker operator deletes any extant shadow copies, disables any detected antivirus countermeasures, and\r\nuses a PowerShell script to move from one company network asset to another one. Finally, before launching Ragnar Locker\r\nransomware, the attacker steals sensitive files and uploads them to one or more servers to publish them if the victim refuses\r\nto pay the ransom.\r\nObfuscation\r\nThe ransomware code is protected with obfuscation techniques that include adding junk code as well as encryption. The\r\nsample code snippet below shows such junk arithmetic instructions, the results of which are not used:\r\nAfter performing its most resource-intensive operations, Ragnar Locker allocates 7680 (1E00) bytes of free memory space\r\nin the current process via VirtualAllocEx().\r\nIt then fills the memory space with shellcode to run it.\r\nThe shellcode’s main goal is to allocate the ransomware executable in memory and call it.\r\nThe first call of VirtualAlloc() allocates 9218 bytes of memory to store the encrypted payload.\r\nThe second call of VirtualAlloc() allocates 48640 (BE00) bytes of memory to store the decrypted payload (PE file).\r\nThe hashes of the decrypted payload are as follows:\r\nMD5: 6360B252B21FE015D667B093F6497E33\r\nSHA256: 1DE475E958D7A49EBF4DC342F772781A97AE49C834D9D7235546737150C56A9C\r\nhttps://www.acronis.com/en-sg/articles/ragnar-locker/\r\nPage 1 of 5\n\nAfter resolving the address of the .text section, the ransomware jumps to the original entry point (OEP) of the unpacked\r\nsample.\r\nLocale check\r\nRagnar Locker checks the locale info to avoid CIS countries from being infected. It identifies the following languages for\r\nexclusion:\r\nIt uses GetLocaleInfoW() with LANG_SYSTEM_DEFAULT and LOCALE_SENGLISHLANGUAGENAME to retrieve\r\nthe operating system default language of the victim’s machine.\r\nIf the machine’s default language matches one on the CIS list, the ransomware process is terminated with the “666” exit\r\ncode.\r\nCommand-line arguments\r\nRagnar Locker can be run with ‘-list’ or ‘-force’ command-line options. The “-list” argument is passed with a file containing\r\nthe list of files to be encrypted.\r\nThe ‘-force’ argument is passed with a path pointing to where the encryption should start.\r\nBy default, the ransomware is run without any command-line options, thereby encrypting the whole system.\r\nRagnar Locker encryption\r\nThe payload PE file contains a section with the name “.keys” in which the crypto keys and obfuscated configuration strings\r\nare stored.\r\nThe ransomware uses hardcoded obfuscated strings, decrypted in runtime.\r\nThe first decrypted value is a unique sample ID.\r\nNext, it references a list of services to be terminated by Ragnar Locker that include strings related to backup and antivirus\r\nsolutions (such as ‘sophos’ and ‘veeam’), as well as remote management software (RMM) tools like ConnectWise and\r\nKaseya that are typically used by managed service providers (MSPs).\r\nThe blacklist of processes includes text, database, and email processors. As a result, after terminating the processes, valuable\r\ntarget files such as documents, documents, and emails are released and available for encryption.\r\nThe embedded master RSA-2048 public key uses the PEM format.\r\nThe hardcoded ransom note includes the name of the target organization.\r\nRagnar Locker generates two key data arrays of 40 bytes and 32 bytes for use by Salsa20 cipher.\r\nA custom-named GenKey function uses CryptGenRandom(), then manually initializes a SHA-512 hash with corresponding\r\nconstants and effects some permutation to encrypt using randomly-generated keys.\r\nThese keys are encrypted by the master RSA-2048 public key and added to the footer of a file.\r\nTo import a RSA-2048 key, the ransomware decodes it from Base64, then executes CryptDecodeObjectEx() to decode the\r\nstructure of the RSA-2048 key.\r\nAfter getting the value ‘1.2.840.113549.1.1.1’ -- which stands for RSAES-PKCS1-v1_5 encryption scheme -- Ragnar\r\nLocker imports the public key by using CryptImportPublicKeyInfo().\r\nWith the keys for encryption in hand, the malware next deletes any extant shadow copies by running processes with the\r\nfollowing commands:\r\nWmic.exe shadowcopy delete\r\nVssadmin delete shadows /all /quiet\r\nRagnar Locker then commences the encryption process in 64 simultaneous threads.\r\nhttps://www.acronis.com/en-sg/articles/ragnar-locker/\r\nPage 2 of 5\n\nA whitelist includes the following folders, files and extensions to skip during encryption:\r\nThe file names:\r\nThe file extensions:\r\nRagnar Locker uses the Salsa20 encryption algorithm with a custom matrix, which is filled in with generated keys placed in\r\nrearranged order. The matrix used for Salsa20 is 64 bytes in size, where 8 bytes defines the stream position, so the\r\nransomware removes 16 bytes from the second key to be matched with the matrix size, and leaves the stream position values\r\nwith zero bytes.\r\nRagnar Locker randomizes file extensions per user by retrieving the computername value and passing it to the next piece of\r\ncode.\r\nAs output from the code above, ransomware gets 8 bytes and creates the ‘ragnar_{computer_id}’ string to append it to the\r\nfilename.\r\nThe encrypted file contains the encrypted Salsa20 key data (40+32 bytes) with the signature ‘_RAGNAR_’ added to the\r\nfooter at the very end.\r\nTo complete the ransom note, Ragnar Locker adds a hardcoded company_id encoded with Base64.\r\nThe ransom note file is named RGNR_{computer_id}.txt:\r\n*****************************************************************************************************************\r\n                                              HELLO EDP.com !\r\n If you reading this message, then your network was PENETRATED and all of your files and data has been ENCRYPTED\r\n                                              by RAGNAR_LOCKER !\r\n*****************************************************************************************************************\r\n                                              !!!!! WARNING !!!!!\r\nDO NOT Modify, rename, copy or move any files or you can DAMAGE them and decryption will be impossible.\r\nDO NOT use any third party or public decryption software, it also may damage files.\r\nDO NOT Shutdown or reset your system\r\n-------------------------------------\r\nThere is ONLY ONE possible way to get back your files - contact us and pay for our special decryption key !\r\nFor your GUARANTEE we will decrypt 2 of your files FOR FREE, as a proof of our capabilities\r\nDon't waste your TIME, the link for contacting us will be deleted if there is no contact made in closest future and you will\r\nnever restore your DATA.\r\nHOWEVER if you will contact us within 2 day since get penetrated - you can get a very SPECIAL PRICE.\r\nATTENTION !\r\nWe had downloaded more than 10TB of data from your fileservers and if you don't contact us for payment, we will publish\r\nit or sell to interested parties.\r\nHere is just a small part of your files that we have, for a proof (use Tor Browser for open the link) :\r\nhttp://p6o7m73ujalhgkiv.onion/?p=171\r\nWe gathered the most sensitive and confidential information about your transactions, billing, contracts, clients and partners.\r\nAnd be assure that if you wouldn't pay,\r\nhttps://www.acronis.com/en-sg/articles/ragnar-locker/\r\nPage 3 of 5\n\nall files and documents would be publicated for everyones view and also we would notify all your clients and partners about\r\nthis leakage with direct links.\r\nSo if you want to avoid such a harm for your reputation, better pay the amount that we asking for.\r\n=====================================================================================================\r\n! HERE IS THE SIMPLE MANUAL HOW TO GET CONTACT WITH US VIA LIVE CHAT !\r\n!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\r\na) Download and install TOR browser from this site : https://torproject.org\r\nb) For contact us via LIVE CHAT open our website : http://mykgoj7uvqtgl367.onion/client/?\r\n6bECA2b2AFFfBC1Dff0aa0EaaAd468bec0903b5e4Ea58ecde3C264bC55c7389E\r\nc) For visit our NEWS PORTAL with your data, open this website : http://p6o7m73ujalhgkiv.onion/?page_id=171\r\nd) If Tor is restricted in your area, use VPN\r\nWhen you open LIVE CHAT website follow rules :\r\nFollow the instructions on the website.\r\nAt the top you will find CHAT tab.\r\nSend your message there and wait for response (we are not online 24/7, So you have to wait for your turn).\r\n***********************************************************************************\r\n---RAGNAR SECRET---\r\nNmJFQ0EyYjJBRkZmQkMxRGZmMGFhMEVhYUFkNDY4YmVjMDkwM2I1ZTRFYTU4ZWNkZTNDMjY0YkM1NWM3Mzg5RQ==\r\n---RAGNAR SECRET---\r\n***********************************************************************************\r\nRagnar Locker decryption service\r\nIt is not possible to decrypt files without having the master key or decrypter.\r\nThe ransom note provides the address of the leak site, live chat and Ragnar Secret. The Ragnar Secret described above as\r\n‘company_id’ encoded with Base64.\r\nThe data leak site is created to publish sensitive data stolen from the corporate network before running Ragnar Locker,\r\nbecause the ransomware has no network communication.\r\nThe mirrors of the data leak site:             http://p6o7m73ujalhgkiv.onion/?page_id=171\r\nhttp://rgleaktxuey67yrgspmhvtnrqtgogur35lwdrup4d3igtbm3pupc4lyd.onion/ http://rgleak7op734elep.onion/\r\nThe Live chat no longer works once the negotiation phase between the Ragnar Locker operators and attacked organization\r\nhas been finished.\r\nhttp://mykgoj7uvqtgl367.onion/client/?6bECA2b2AFFfBC1Dff0aa0EaaAd468bec0903b5e4Ea58ecde3C264bC55c7389E\r\n         \r\nDetection of Ragnar Locker by Acronis Cyber Protect\r\nRagnar Locker ransomware is detected and blocked by Acronis Cyber Protection products in multiple layers, for example by\r\nsignatures as well as by behavior detection.\r\nConclusion\r\nhttps://www.acronis.com/en-sg/articles/ragnar-locker/\r\nPage 4 of 5\n\nRagnar Locker employs advanced defense-evasion techniques to bypass antivirus protection. It uses a small Windows XP\r\nvirtual machine image to launch its payload and encrypt the files on a user’s drive connected as a network drive. It poses a\r\nsignificant risk to organizations even with anti-malware solutions installed.\r\nIoCs\r\nMD5(packed): 6d122b4bfab5e75f3ae903805cbbc641\r\nSHA256(packed): 68eb2d2d7866775d6bf106a914281491d23769a9eda88fc078328150b8432bb3\r\nMD5: 6360b252b21fe015d667b093f6497e33\r\nSHA256: 1de475e958d7a49ebf4dc342f772781a97ae49c834d9d7235546737150c56a9c\r\nragnar_{computer_id}\r\n.keys\r\nRGNR_{computer_id}.txt\r\nhttp://mykgoj7uvqtgl367.onion/client/?6bECA2b2AFFfBC1Dff0aa0EaaAd468bec0903b5e4Ea58ecde3C264bC55c7389E\r\nhttp://p6o7m73ujalhgkiv.onion/?page_id=171\r\nhttp://rgleaktxuey67yrgspmhvtnrqtgogur35lwdrup4d3igtbm3pupc4lyd.onion/ http://rgleak7op734elep.onion/\r\nSource: https://www.acronis.com/en-sg/articles/ragnar-locker/\r\nhttps://www.acronis.com/en-sg/articles/ragnar-locker/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.acronis.com/en-sg/articles/ragnar-locker/"
	],
	"report_names": [
		"ragnar-locker"
	],
	"threat_actors": [],
	"ts_created_at": 1775434035,
	"ts_updated_at": 1775791216,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fb74454eb6feb4ae019f654503292a9c3ca25c76.pdf",
		"text": "https://archive.orkl.eu/fb74454eb6feb4ae019f654503292a9c3ca25c76.txt",
		"img": "https://archive.orkl.eu/fb74454eb6feb4ae019f654503292a9c3ca25c76.jpg"
	}
}