Breach Response Hotline, Call 833.997.7327

Contact Us

Breach Response Hotline, Click to Call

Contact Us

Day 12: Ragnar Locker Ransomware

Common Attack Vectors

  • Infected Email Attachments (Macros)
  • Remote Desktop Protocol (RDP)
  • Credential Reuse Attacks
  • Phishing Attacks
  • Business Email Compromise

Vulnerabilities Exploited

  • Microsoft Windows operating system
  • Windows COM Aggregate Marshaler

Industries Targeted Frequently

enterprises

Enterprises

Threat actors target enterprises, including Capcom and Campari, stealing sensitive data, encrypting network files, and demanding ransoms.

Manufacturing

Threat actors target manufacturing facilities, including Dassault Falcon Jet, disrupting product distribution.

Critical Infrastructure

Threat actors target critical infrastructure, including EDP energy giant, impacting businesses that provide services to consumers and other organizations.

Managed Services Providers (MSPs)

Threat actors target MSPs for their connection to other organizations, shutting down servers and impacting customers' trust in companies.

Recent Activity

Ragnar Locker ransomware threatened to leak victims’ stolen data if they contacted law enforcement, investigative agencies like the Federal Bureau of Investigation or professional negotiators.

Ragnar Locker stole 700GB of data from ADATA, a Taiwanese memory and storage chip maker, containing sensitive files.

Capcom, a Japanese game developer, was breached by Ragnar Locker stealing 1TB of sensitive data from corporate networks in Japan, the US, and Canada.

Ragnar Locker breached EDP Renewables North America (EDPR NA) affecting their parent corporation’s systems, the Portuguese multinational energy company, Energias de Portugal (EDP). They stole 10TB of confidential information.

Common File Extensions

.ragnar_

.RGNR

Known Alias

  • RagnarLocker

How Ragnar Locker Ransomware is Distributed

Threat actors compromise the company’s network using the Remote Desktop Protocol (RDP) service, brute force their way into the networks by either guessing weak passwords or using stolen login information purchased on the dark web. The attackers then conduct a second stage reconnaissance and exploit the CVE-2017-0213 vulnerability in the Windows COM Aggregate Marshaler to run arbitrary code to elevate privileges. Attackers deploy a VirtualBox virtual machine (VM) with a Windows XP image to avoid detection after achieving privilege escalation. The attackers load the VM image to the VirtualBox VM, mapping all local drives into the virtual machine allowing the ransomware to encrypt all the files. The threat operators then delete any extant shadow copies, disable any antivirus countermeasures, and use PowerShell scripts to move the ransomware from one company network asset to another. The attackers steal sensitive files and upload them to their servers before deploying Ragnar Locker ransomware. Ragnar Locker also goes to the extent of eliminating remote admin tools within an environment restricting remote IT from being able to gain access. Ragnar Locker remotely administrates networks by repeating the running services and terminating services used by managed service providers (MSPs). They become unresponsive when contacted by professional negotiation firms.

ShadowSpear

SpearTip’s ShadowSpear platform defends your environment with unparalleled resources preventing cybersecurity threats and attacks from affecting your business. ShadowSpear integrates with cloud, network and endpoint devices providing security. ShadowSpear prevents ransomware from exploiting memory, stopping the threat before the full attack cycle. The ShadowSpear Platform is backed by the engineers in our 24/7 Security Operations Centers, ready to assist partners with security issues immediately.

24/7 Breach Response: US/CAN: 833.997.7327

Main Office: 800.236.6550

Email Us

1714 Deer Tracks Trail, Suite 150

St. Louis, MO 63131

Navigation

Connect With Us

Twitter Linkedin Facebook

©2024 SpearTip, LLC. All rights reserved.