ProSec GmbH

+49 261 45093090

  • About us
  • Services
    • Detection services
      • Classic penetration testing
      • Pentest as a service
      • Web application pentest
      • Vulnerability analysis
      • Red teaming
    • Solution services
      • IT security consulting
      • Data protection
        • GDPR
    • Education services
      • User awareness
      • Trainings
        • Junior penetration tester
        • Penetration tester web
        • Penetration tester network
  • Wiki
  • Jobs
  • Contact

RagnarLocker Ransomware

PSN_KB_RagnarLocker_Ransomware.jpg

RagnarLocker Ransomware

The FBI first reported about the RagnarLocker ransomware in April 2020. New Indicators of Compromise were shared in a recent FBI Flash Report and other reports.

General information

RagnerLocker ransomware attempts to bypass Endpoint Protections by executing the malicious code in a Windows XP virtual machine. Before the ransomware encrypts data, it copies it to attacker servers.

The attackers demand a ransom for the encrypted data and threaten to release sensitive information if the ransom is not paid. In this case, we recommend the following article “Hacked – What to do“.

Are your data protected?

Optimize your data protection measures with us now.

More about IT security consulting

Technical details

The ransomware leaves behind encrypted files with the file extension “.RGNR_. The ID is a hash of the computer’s NETBIOS name.

Also, the ransomware leaves a text message with instructions on how to pay the ransom and decrypt the data.

Checking the set language

Conscious regions are not supposed to be hit by the ransomware. Therefore, Windows API GetLocaleInfoW is used to find out the language of the infected machine. If the ransomware is located on a computer in the region of Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Tajikistan, Russia, Turkmenistan, Uzbekistan, Ukraine or Georgia, the process is stopped.

Volume identification

All connected hard disks are recognized by various functions. All hard disks are assigned drive letters (if not already present) to enable access.

The newly assigned hard disks are also encrypted in the last step.

Processes and Shadow Copies

Processes used by service providers to administer computers remotely are continuously identified and terminated by the ransomware. Furthermore, it tries to delete all volume shadow copies that would allow the user to restore the encrypted files afterwards.

Encryption

Eventually, the ransomware encrypts all “interesting” accessible files. However, various folders and file extensions are not encrypted in the process.

Folders such as Windows, Windows.old, Mozilla, Program Data and files with .db, .sys, .dll, .lnk, .msi, .drv, .exe extensions are not encrypted.

Warning

Recommendations for action with RagnarLocker

  • We strongly recommend monitoring outgoing connections from your own IT network and your own IT devices for contact with the IP addresses in question.
  • There are known signatures for the malware. It should be checked whether all antivirus solutions and endpoint protection services in use have these signatures. These signatures should be used to scan all files on all systems.
  • Email addresses are known in connection with attacks and extortion attempts, so it should be checked whether contact attempts have been made from these email addresses

Indicators of Compromise

Below you will find an overview of the publicly available IOCs. Through various sources we have regularly classified IOC’s, which may not be published here. Please do not hesitate to contact us if you are an employee of a KRITIS company or have a compelling need for further IOCs.

Bild des stellvertretenden Geschäftsführers Immanuel Bär

Do not allow hackers access to your IT!

Find out more about penetration tests now!

Mehr zum Penetrationstest!

RagnarLocker Executable (SHA256)

b6663af099538a396775273d79cb6fff99a18e2de2a8a2a106de8212cc44f3e2
ac16f3e23516cf6b22830c399b4aba9706d37adceb5eb8ea9960f71f1425df79
68eb2d2d7866775d6bf106a914281491d23769a9eda88fc078328150b8432bb3
b670441066ff868d06c682e5167b9dbc85b5323f3acfbbc044cabc0e5a594186
9bdd7f965d1c67396afb0a84c78b4d12118ff377db7efdca4a1340933120f376
dd5d4cf9422b6e4514d49a3ec542cffb682be8a24079010cda689afbb44ac0f4
63096f288f49b25d50f4aea52dc1fc00871b3927fa2a81fa0b0d752b261a3059
a8ee0fafbd7b84417c0fb31709b2d9c25b2b8a16381b36756ca94609e2a6fcf6
5fc6f4cfb0d11e99c439a13b6c247ec3202a9a343df63576ce9f31cffcdbaf76
1472f5f559f90988f886d515f6d6c52e5d30283141ee2f13f92f7e1f7e6b8e9e
ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597
68eb2d2d7866775d6bf106a914281491d23769a9eda88fc078328150b8432bb3

IP addresses

185.138.164.18 185.172.129.215
45.144.29.2 23.106.122.192
45.90.59.131 149.28.200.140
193.42.36.53 45.63.89.250
190.211.254.181 142.44.236.38
37.120.238.107 95.216.196.181
162.55.38.44 116.203.132.32
49.12.212.231 193.42.39.10
193.111.153.24 178.32.222.98
23.227.202.72 159.89.163
50.201.185.11 47.35.60.92
108.26.193.165 108.56.142.135
198.12.81.56 198.12.127.199
45.91.93.75 217.25.93.106
45.146.164.193 89.40.10.25
5.45.65.52 79.141.160.43 (URL: izugz.envisting.xyz)

Bitcoin Adresses

19kcqKevFZhiX7NFLa5wAw4JBjWLcpwp3e
1CG8RAqNaJCrmEdVLK7mm2mTuuK28dkzCU
151Ls8urp6e2D1oXjEQAkvqogSn3TS8pp6

Email Adresses

ShingXuan7110@protonmail.com
scanjikoon@yahoo.com
alexeyberdin17@gmail.com (linked by SMS) titan_fall572cool@gmail.com
Vivopsalrozor@yahoo.com Gamarjoba@mail.com
back.shadow98@gmail.com (cookie-linked) michael.shawn.brown2@gmail.com
Alexey_Berdin@list.ru sh0d44n@gmail.com
alexeyberdin437@gmail.com alexeyberdin38@gmail.com
alexeyberbi@gmail.com NA

More recommendations

  • Create backups of your systems at regular intervals
  • Store these backups offline#
  • Keep your systems up-to-date with the latest patches
  • Disable unused external services
  • Only allow e-mail attachments that are absolutely necessary
  • Open only trusted e-mails

Zuletzt aktualisiert am March 11, 2022

OUR LOCATIONS

  • Headquarters:
  • ProSec GmbH
  • Robert-Koch-Straße 1-9,
    D-56751 Polch, Germany

  • Berlin office:
  • ProSec GmbH
  • Friedrichstr. 123,
    D-10117 Berlin, Germany

 

  • Munich office:
  • ProSec GmbH
  • Franz-Joseph-Str. 11,
    D-80801 München, Germany

TOP-SERVICES

  • Penetration testing

  • Vulnerability analysis

  • Trainings

  • IT security consulting

  • Social engineering

All rights reserved. © 2022 ProSec GmbH | Imprint | Privacy policy | Sitemap