Ragnar Locker

Chris Swagler | March 10th, 2022


The United States Federal Bureau of Investigation (FBI) reported that the Ragnar Locker ransomware group breached 52 organizations’ networks from at least 10 US critical infrastructure sectors as of January of this year. The report was published in a joint TLP: WHITE flash alert in coordination with the Cybersecurity and Infrastructure Security Agency (CISA). The Ragnar Locker ransomware family changes obfuscation techniques frequently to avoid detection and prevention.

Ragnar Locker Targeting Critical Infrastructure

Ragnar Locker ransomware group is identified by the extension “.RGNR_<ID>,” and uses VMProtect, UPX, and custom packing algorithms to deploy within an actor’s custom Windows XP virtual machine on a target’s site. The group uses Windows API GetLocaleInfoW to the location of the infected machine and checks for current infections preventing multiple data encryption and corrupting the data. The binary running the process collects the unique machine GUID, operating system product name, and username. Then it is sent through a custom hashing algorithm generating a unique identifier: <HashedMachineGuid><HashedWindowsProductName>-<HashedUser>-<HashedComputerName><HashedAllDataTogether>.

Ragnar Locker uses Windows APIs, including CreateFileW, DeviceIoControl, GetLogicalDrives, and SetVolumeMountPointA, to identify all attached hard drives, assign a drive letter to any volumes not assigned to a logical drive letter making them accessible, and encrypt the volumes during the final stage of binary. The group repeats all running and terminates services used by managed service providers (MSPs) to administer networks remotely. Using two different methods, “>vssadmin delete shadows /all /quiet” and “>wmic[.]exe.shadowcopy.delete”, the malware attempts to delete all Volume Shadow Copies quietly to prevent users from recovering the encrypted files. Ragnar Locker encrypts all available files they’re interested in with known and unknown extensions containing the victim’s valuable data.

The flash alert focuses on providing companies with indicators of compromise (IOCs) allowing them to detect and block Ragnar Locker ransomware attacks. Among the IOCs are information on attack infrastructure, Bitcoin addresses used to collect ransoms, and email addresses used by the threat operators. The threat operators terminate remote management software used by MSPs to manage clients’ systems on compromised enterprise endpoints remotely. Threat actors avoid detection and ensure that remotely logged-in admins won’t interfere with or block the ransomware deployment process.

The FBI is asking admins and security professionals to share information related to Ragnar Locker activities with their local FBI Cyber Squad. Information, including copies of the ransom notes, ransom demands, malicious activity timelines, and payload samples will help identify the ransomware group’s operators. Additionally, the FBI is encouraging companies to not pay ransom demands because victims have no guarantee that paying will prevent stolen data leaks or future attacks. Paying the ransom will only motivate ransomware groups to target more victims and encourage other cybercrime operations to launch their own attacks. The federal agency recognizes the damage ransomware groups inflict on businesses, which may force executives to pay ransoms to protect their shareholders, customers, or employees.

With ransomware groups targeting multiple US critical infrastructure sectors, it’s more important for companies to remain vigilant of the current threat landscape and always keep their network security posture updated. At SpearTip, our certified engineers continuously monitor critical infrastructure networks 24/7/365 at our Security Operations Centers preventing downtime and devastating compromises from ransomware attacks. ShadowSpear, our endpoint detection and response tool, integrates with the most complex networks, works with IT and OT technology, and ensures that critical supplies and processes remain operable. While ransomware operations like Ragnar Locker seek to disrupt critical infrastructure and wreak havoc on businesses, SpearTip is focused on defending our partners from the devastating impacts of malicious threat actors.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.


Connect With Us

Featured Articles

Cybersecurity Health Checks
Cybersecurity Health Checks: Why Companies Need Them
22 April 2024
New Loop DoS Attack
New Loop DoS Attack Affecting Linux Systems
19 April 2024
Possible Cyberattack
Possible Cyberattack During 2024 Summer Olympics
15 April 2024
Tabletop Exercises
Tabletop Exercises: Transformative Impact on Companies
12 April 2024

See ShadowSpear in Action

Identify, neutralize, and counter cyberattacks - provide confidence in your security posture

Stay Connected With SpearTip

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.