The FBI first reported about the RagnarLocker ransomware in April 2020. New Indicators of Compromise were shared in a recent FBI Flash Report and other reports.
RagnerLocker ransomware attempts to bypass Endpoint Protections by executing the malicious code in a Windows XP virtual machine. Before the ransomware encrypts data, it copies it to attacker servers.
The attackers demand a ransom for the encrypted data and threaten to release sensitive information if the ransom is not paid. In this case, we recommend the following article “Hacked – What to do“.
The ransomware leaves behind encrypted files with the file extension “.RGNR_. The ID is a hash of the computer’s NETBIOS name.
Also, the ransomware leaves a text message with instructions on how to pay the ransom and decrypt the data.
Checking the set language
Conscious regions are not supposed to be hit by the ransomware. Therefore, Windows API GetLocaleInfoW is used to find out the language of the infected machine. If the ransomware is located on a computer in the region of Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Tajikistan, Russia, Turkmenistan, Uzbekistan, Ukraine or Georgia, the process is stopped.
All connected hard disks are recognized by various functions. All hard disks are assigned drive letters (if not already present) to enable access.
The newly assigned hard disks are also encrypted in the last step.
Processes and Shadow Copies
Processes used by service providers to administer computers remotely are continuously identified and terminated by the ransomware. Furthermore, it tries to delete all volume shadow copies that would allow the user to restore the encrypted files afterwards.
Eventually, the ransomware encrypts all “interesting” accessible files. However, various folders and file extensions are not encrypted in the process.
Folders such as Windows, Windows.old, Mozilla, Program Data and files with .db, .sys, .dll, .lnk, .msi, .drv, .exe extensions are not encrypted.
Recommendations for action with RagnarLocker
- We strongly recommend monitoring outgoing connections from your own IT network and your own IT devices for contact with the IP addresses in question.
- There are known signatures for the malware. It should be checked whether all antivirus solutions and endpoint protection services in use have these signatures. These signatures should be used to scan all files on all systems.
- Email addresses are known in connection with attacks and extortion attempts, so it should be checked whether contact attempts have been made from these email addresses
Indicators of Compromise
Below you will find an overview of the publicly available IOCs. Through various sources we have regularly classified IOC’s, which may not be published here. Please do not hesitate to contact us if you are an employee of a KRITIS company or have a compelling need for further IOCs.
RagnarLocker Executable (SHA256)
|18.104.22.168||22.214.171.124 (URL: izugz.envisting.xyz)|
|email@example.com (linked by SMS)||firstname.lastname@example.org|
- Create backups of your systems at regular intervals
- Store these backups offline#
- Keep your systems up-to-date with the latest patches
- Disable unused external services
- Only allow e-mail attachments that are absolutely necessary
- Open only trusted e-mails