Our Friends at Fortinet have provided its latest technical analysis of the Ragnar Locker ransomware.
Affected platforms: Microsoft Windows
Impacted parties: Microsoft Windows Users
Impact: Encrypts files on the compromised machine and demands ransom for file decryption
Severity level: High
Ragnar Locker is ransomware for Windows and Linux that exfiltrates information from a compromised machine, encrypts files using the Salsa20 encryption algorithm, and demands that victims pay a ransom to recover their data. The Ragnar Locker group is known to employ a double extortion tactic. The ransom payment is not only for recovering affected files but also to prevent releasing that stolen information to the public. This group also claims that victims who meet their financial demands will receive information on how the attacker was able to compromise them, along with recommendations for security improvement as a bonus.
In addition to encrypting data, the ransomware deletes volume shadow copies, inhibiting the victim’s ability to recover affected files. It also checks for services such as: vss, sql, veeam, logmein, etc., and terminates them if found. While infection vectors of Ragnar Locker ransomware vary from victim to victim, compromising the victim’s network through RDP services exposed to the internet using brute forcing techniques and leaked credentials is believed to be one of the initial attack vectors. CVE-2017-0213 (Windows COM Elevation of Privilege Vulnerability) is then reportedly leveraged for privilege escalation and lateral movement. While the exact number of Ragnar Locker victims has not been identified, at least 16 companies have been listed on its leak site so far this year. Victims’ locales include North America, Europe, and Asia.
Ragnar Locker’s preferred payment method is Bitcoin. They ask a victim to first transfer one Bitcoin to the attacker’s wallet, which is revealed during negotiation, to confirm the transaction worked. The group also asks its victims not to hire professional negotiators, threatening to leak any stolen information if they become aware of the presence of law enforcement.
Link to full report: IR-22-263-001_RagnarLocker.pdf