- Share on Twitter
- Share on Facebook
- Share on Linked In
Ragnar Locker ransomware has made international headlines lately due to targeted attacks against ADATA, a leading Taiwanese manufacturer of high-performance DRAM modules and NAND Flash products. The first variant of this family appeared in late 2019.
Like many other well-known ransomware variants (such as DarkSide, Avaddon, and REvil), the current variant of Ragnar Locker uses a double extortion technique to encourage victims to pay, where data is both encrypted locally and exfiltrated before the ransom demand is made. If the victim refuses to pay, their data is published to a site located on the dark web at hxxp[:]//p6o7m73ujalhgkiv[.]onion/?BatxqaHm8rKxIP16Z1xB.
Upon visiting Ragnar Locker's dark web site, their latest victims can be seen under their self-dubbed 'wall of shame'. They currently claim to have exfiltrated 1.5TB of data from ADATA. According to the website, this information has been carefully gathered for a long time.
Operating SystemRagnar Locker itself is quite small and low-key, only around 55KB in size. Upon execution, the malware performs a language check on the user's system. If one of the following former Soviet region languages are found, the malware will immediately terminate its execution:
Azerbaijani | Armenian |
Asgardian | Belorussian |
Belorussian | Russian |
Georgian | Tajik |
Moldavian | Turkmen |
Kazakh | Uzbek |
Kyrgyz | Ukrainian |
Ragnar Locker will then perform checks on the following services. If they are found, the services will be stopped:
vss | logmein |
sql | connectwise |
memtas | splashtop |
mepocs | mysql |
sophos | Dfs |
veeam | vmms |
backup | vmcompute |
pulseway | Hyper-V |
logme |
The malware also checks for the following processes. If they are running, they will be stopped:
Sql | Firefox | steam | Postgres |
Mysql | Tbirdconfig | thebat | Fdhost |
Veeam | Mydesktopqos | thunderbird | WSSADMIN |
Oracle | Ocomm | visio | Wsstracing |
Ocssd | dbeng50 | winword | OWSTIMER |
Dbsnmp | sqbcoreservice | wordpad | dfssvc.exe |
Synctime | excel | EduLink2SIMS | swc_service.exe |
Agntsvc | infopath | Bengine | Sophos |
Isqlpussvc | msaccess | Benetns | SAVAdminService |
Xfssvccon | mspub | Beserver | SavService.exe |
Mydesktopservice | onenote | Pvlsvr | Hyper-V |
Ocautoupds | outlook | Beremote | |
Encsvc | powerpnt | VxLockdownServer |
Ragnar Locker then deletes shadow copies and backups stored on the victim's computer, to ensure the user can't easily restore their encrypted files (unless they are a member of the Time Variance Authority):
Figure 1: Backup and shadow copy deletion.
Continuing its execution, Ragnar Locker will begin encrypting files, while ignoring some predefined file extensions:
DB | MSI |
SYS | DRV |
DLL | EXE |
LNK | MUI |
It will also avoid encrypting the following specific files:
RAGN@R_9150F85A!.txt | Desktop.ini |
Autorun.inf | Iconcache.db |
Boot.ini | Ntldr |
Bootfont.bin | Ntuser.dat |
Bootsect.bak | Ntuser.dat.log |
Bootmgr | Ntuser.ini |
Bootmgr.efi | Thumbs.db |
Bootmgfw.efi |
Ragnar Locker will search the infected system, and avoid encrypting files in the following locations:
Windows | Opera Software |
Windows.old | Mozilla |
Tor browser | Mozilla Firefox |
Internet Explorer | $Recycle.Bin |
ProgramData | |
Opera | All Users |
How Ragnar Locker Ragna-Rocks Your Data
During the encryption process, Ragnar appends a '.RAGN@R_9150F85A' file extension to all affected files:
Figure 2: Files encrypted by Ragnar Locker.
The malware also adds '$$$_RAGNAR_$$$' within the encrypted file itself:
Figure 3: $$$_RAGNAR_$$$ file marker.
Next, a ransom note is dropped into each affected directory. This file named '!$R4GN4R_9150F85A$!.txt':
Figure 4: Ragnar Locker ransom note drop.
The ransom note informs the infected user that their data has been encrypted and stolen. They also claim that all the data that was stolen could be potentially published by mass media in breaking news, and that victims' partners, clients, and investors will be notified about this breach.
The note also mentions the user can decrypt two files for free as proof that their decryption tools work:
Figure 5: Ragnar Locker ransom note.
To get in to contact with the Ragnar Locker threat actors, the victim is required to download the Tor browser and open a live chat at the following address:
hxxp[:]//rgngerzxui2kizq6h5ekefneizmn54n4bcjjthyvdir22orayuya5zad[.]onion/client/?bC2aAD71E2976da53FC1Efc3193c8FDeA0BAeF8A37883c9e05d3BFF82CCfE8Ee
The victim can also navigate to Ragnar Locker's homepage - hxxp[:]//p6o7m73ujalhgkiv[.]onion/?BatxqaHm8rKxIP16Z1xB - to view their 'wall of shame':
Figure 6: Ragnar Locker homepage.
The website's 'wall of shame' includes a list of recent victims. The most recent victim at the time of writing was added on June 7, 2021, with the previous one added on June 5, 2021.
ADATA UpdateIn an email to Bleeping Computer, ADATA confirmed that it was hit by a ransomware attack on May 23, 2021. It responded by taking down all impacted systems and notifying all relevant international authorities of the incident.
At the time of writing, the Ragnar Locker gang has not received a response from ADATA. As ADATA has to date refused to cooperate with Ragnar Locker and pay the ransom demand, download links of the stolen data were made available on Ragnar Locker's leak site on June 16, 2021.
The data includes screenshots of ADATA employee's folders and files, NDA documents, confidential drawings, and more:
Figure 7: Evidence of ADATA's leaked data.
The larger files from the ADATA breach that were hosted on Mega.nz are no longer available for download. They have been removed by Mega.nz for violating their terms of service:
Figure 8: ADATA archived leaked data.
However, the files that are listed in the image above under the phrase 'The first batck (sp) of files is here' can still be downloaded, as they are not hosted on Mega.nz.
Yara RuleThe following Yara rule was authored by the BlackBerry Threat Research Team to catch the threat described in this document:
import 'pe'
rule Mal_Ransom_Win32_RagnarLocker strings:
//\.PHYSICALDRIVE%d
condition: |
Indicators of Compromise (IoCs)
At BlackBerry, we take a prevention-first and AI-driven approach to cybersecurity. Putting prevention first neutralizes malware before the exploitation stage of the kill-chain.
By stopping malware at this stage, BlackBerry® solutions help organizations increase their resilience. It also helps reduce infrastructure complexity and streamline security management to ensure business, people, and endpoints are secure.
File System Actions
Modified:
Deleted:
URL for Communications with Ragnar Locker:
Processes
Terminated: sql, mysql, veeam, oracle, ocssd, dbsnmp, synctime, agntsvc, isqlpussvc, xfssvccon, mydesktopservice, ocautoupds, encsvc, firefox, tbirdconfig, mydesktopqos, ocomm, dbeng50,sqbcoreservice, excel, infopath, msaccess, mspub, onenote, outlook, powerpnt, steam, thebat, thunderbird, visio, winword, wordpad, EduLink2SIMS, bengine, benetns, beserver, pvlsvr, beremote,VxLockdownServer, postgres, fdhost, WSSADMIN, wsstracing, OWSTIMER, dfssvc.exe, swc_service.exe, sophos, SAVAdminService, SavService.exe, Hyper-V Services vss, sql, memtas, mepocs, sophos, veeam, backup, pulseway, logme, logmein, connectwise, splashtop, mysql, Dfs, vmms, vmcompute, Hyper-V |
BlackBerry Assistance
If you're battling Ragnar Locker ransomware or a similar threat, you've come to the right place, regardless of your existing BlackBerry relationship.
The BlackBerry Incident Response Team is made up of world-class consultants dedicated to handling response and containment services for a wide range of incidents, including ransomware and Advanced Persistent Threat (APT) cases.
We have a global consulting team standing by to assist you providing around-the-clock support, where required, as well as local assistance. Please contact us here: https://www.blackberry.com/us/en/forms/cylance/handraiser/emergency-incident-response-containment
The BlackBerry Research and Intelligence team examines emerging and persistent threats, providing intelligence analysis for the benefit of defenders and the organizations they serve.
- Share on Twitter
- Share on Facebook
- Share on Linked In
Attachments
- Original document
- Permalink
Disclaimer
BlackBerry Ltd. published this content on 01 July 2021 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 01 July 2021 15:07:45 UTC.