Ragnar Locker malware: what it is, how it works and how to prevent it | Malware spotlight

Introduction

The popularity of ransomware threats does not appear to be decreasing. Instead, more and sophisticated ransomware threats are being deployed. Ragnar Locker is a new data encryption malware in this style.

Ragnar Locker is a ransomware that affects devices running Microsoft Windows operating systems. It was initially observed towards the end of December 2019 as part of a series of attacks against compromised networks.

In general, this malware is deployed manually after an initial compromise, network reconnaissance and pre-deployed tasks on the network. This shows that this is a more complex operation than most ransomware propagation campaigns.

Before starting the Ragnar Locker ransomware, attackers inject a module capable of collecting sensitive data from infected machines and upload it to their servers. Next, threat actors behind the malware notify the victim the files will be released to the public if the ransom is not paid.

Sponsorships Available

Sponsorships Available

Sponsorships Available

Modus operandi

The next diagram shows how criminals are compromising infrastructures and organizations using this data encryption malware. [CLICK IMAGES TO ENLARGE]

Figure 1: High-level diagram of the Ragnar Locker infection chain.

As highlighted in the diagram above, there is a group of steps executed by Ragnar Locker operators every time an organization or infrastructure is impacted. Digging into the details, attackers first compromise networks, infrastructures and organizations using found vulnerabilities or even through social engineering such as phishing attacks, spearphishing and BEC attacks.

During the compromise process, reconnaissance, pre-deployment tasks and data exfiltration are performed before executing the piece of ransomware (Figure 1 — labels 1 and 2). When the data exfiltration process is completed, a ransomware deploy is performed manually (label 3).

Notice that each malware sample is unique, with the specific ransom note hardcoded inside the malware. The affected group name, the links to the bitcoin wallet and the links to a (Read more...)