The FBI first reported on the RagnarLocker ransomware in April 2020. New indicators of compromise were shared in a recent FBI flash report and other reports.
The RagnerLocker Ransomware tries Endpoint protections by running the malicious code in a Windows XP virtual machine. Before the ransomware encrypts data, it is copied to attacker servers.
The attackers demand a ransom for the encrypted data and threaten to publish sensitive information if the ransom is not paid. In this case we recommend the following article “Hacked – What to do".
The Ransomware leaves behind encrypted files with the file extension “.RGNR_. The ID is a hash of the computer's NETBIOS name.
The ransomware also leaves a text message with instructions on how to pay the ransom and decrypt the data.
All connected hard drives are recognized by various functions. All hard drives are assigned drive letters (if they don't already exist) to enable access.
The newly allocated hard drives are also encrypted in the final step.
Processes that are used by service providers to remotely administer computers are continuously identified and terminated by the ransomware. Furthermore, an attempt is made to delete all volume shadow copies that would enable the user to subsequently restore the encrypted files.
Ultimately, the ransomware encrypts all “interesting” accessible files. However, various folders and file extensions are not encrypted.
Folders such as Windows, Windows.old, Mozilla, Program Data and files with the extensions .db, .sys, .dll, .lnk, .msi, .drv, .exe are not encrypted.
Below you will find an overview of the publicly accessible IOCs. We regularly have classified IOCs available to us from various sources, which are not allowed to be published here. Please do not hesitate to contact us. If you are an employee of a KRITIS company or have an urgent need for additional IOCs.
b6663af099538a396775273d79cb6fff99a18e2de2a8a2a106de8212cc44f3e2 |
ac16f3e23516cf6b22830c399b4aba9706d37adceb5eb8ea9960f71f1425df79 |
68eb2d2d7866775d6bf106a914281491d23769a9eda88fc078328150b8432bb3 |
b670441066ff868d06c682e5167b9dbc85b5323f3acfbbc044cabc0e5a594186 |
9bdd7f965d1c67396afb0a84c78b4d12118ff377db7efdca4a1340933120f376 |
dd5d4cf9422b6e4514d49a3ec542cffb682be8a24079010cda689afbb44ac0f4 |
63096f288f49b25d50f4aea52dc1fc00871b3927fa2a81fa0b0d752b261a3059 |
a8ee0fafbd7b84417c0fb31709b2d9c25b2b8a16381b36756ca94609e2a6fcf6 |
5fc6f4cfb0d11e99c439a13b6c247ec3202a9a343df63576ce9f31cffcdbaf76 |
1472f5f559f90988f886d515f6d6c52e5d30283141ee2f13f92f7e1f7e6b8e9e |
ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597 |
68eb2d2d7866775d6bf106a914281491d23769a9eda88fc078328150b8432bb3 |
185.138.164.18 | 185.172.129.215 |
45.144.29.2 | 23.106.122.192 |
45.90.59.131 | 149.28.200.140 |
193.42.36.53 | 45.63.89.250 |
190.211.254.181 | 142.44.236.38 |
37.120.238.107 | 95.216.196.181 |
162.55.38.44 | 116.203.132.32 |
49.12.212.231 | 193.42.39.10 |
193.111.153.24 | 178.32.222.98 |
23.227.202.72 | 159.89.163 |
50.201.185.11 | 47.35.60.92 |
108.26.193.165 | 108.56.142.135 |
198.12.81.56 | 198.12.127.199 |
45.91.93.75 | 217.25.93.106 |
45.146.164.193 | 89.40.10.25 |
5.45.65.52 | 79.141.160.43 (URL: izugz.envisting.xyz) |
19kcqKevFZhiX7NFLa5wAw4JBjWLcpwp3e |
1CG8RAqNaJCrmEdVLK7mm2mTuuK28dkzCU |
151Ls8urp6e2D1oXjEQAkvqogSn3TS8pp6 |
ShingXuan7110@protonmail.com
|
scanjikoon@yahoo.com |
alexeyberdin17@gmail.com (linked by SMS) | titan_fall572cool@gmail.com |
Vivopsalrozor@yahoo.com | Gamarjoba@mail.com |
back.shadow98@gmail.com (cookie linked) | michael.shawn.brown2@gmail.com |
Alexey_Berdin@list.ru | sh0d44n@gmail.com |
alexeyberdin437@gmail.com | alexeyberdin38@gmail.com |
alexeyberbi@gmail.com NA |