RagnarLocker ransomware

The FBI first reported on the RagnarLocker ransomware in April 2020. New indicators of compromise were shared in a recent FBI flash report and other reports.

Table of Contents

General Information

The RagnerLocker Ransomware tries Endpoint protections by running the malicious code in a Windows XP virtual machine. Before the ransomware encrypts data, it is copied to attacker servers.

The attackers demand a ransom for the encrypted data and threaten to publish sensitive information if the ransom is not paid. In this case we recommend the following article “Hacked – What to do".

Is your data protected?
Optimize your data protection measures with us now.
For IT security advice

Technical details

The Ransomware leaves behind encrypted files with the file extension “.RGNR_. The ID is a hash of the computer's NETBIOS name.

The ransomware also leaves a text message with instructions on how to pay the ransom and decrypt the data.

Checking the set language

Certain regions should not be affected by the ransomware. That's why Windows API GetLocaleInfoW is used to find out the language setting of the infected machine. If the ransomware is located on a computer in the region of Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Tajikistan, Russia, Turkmenistan, Uzbekistan, Ukraine or Georgia, the process will be stopped.

Identification of volumes

All connected hard drives are recognized by various functions. All hard drives are assigned drive letters (if they don't already exist) to enable access.

The newly allocated hard drives are also encrypted in the final step.

Processes and shadow copies

Processes that are used by service providers to remotely administer computers are continuously identified and terminated by the ransomware. Furthermore, an attempt is made to delete all volume shadow copies that would enable the user to subsequently restore the encrypted files.

Encryption

Ultimately, the ransomware encrypts all “interesting” accessible files. However, various folders and file extensions are not encrypted.

Folders such as Windows, Windows.old, Mozilla, Program Data and files with the extensions .db, .sys, .dll, .lnk, .msi, .drv, .exe are not encrypted.

Recommendations for action at RagnarLocker

  • We strongly recommend monitoring outgoing connections from your own IT network and from your own IT devices for contact with the IP addresses in question
  • There are known signatures for the malware. It should be checked whether all antivirus solutions and endpoint protection services used have these signatures. These signatures should be used to verify all files on all systems
  • E-mail addresses are known in connection with attacks and blackmail attempts, so you should check whether contact attempts have taken place from these e-mail addresses

Indicators of Compromise

Below you will find an overview of the publicly accessible IOCs. We regularly have classified IOCs available to us from various sources, which are not allowed to be published here. Please do not hesitate to contact us. If you are an employee of a KRITIS company or have an urgent need for additional IOCs.

Do you have a security incident?
Trust our certified IT forensic experts in the event of attacks.
Contact us

RagnarLocker Executable (SHA256)

b6663af099538a396775273d79cb6fff99a18e2de2a8a2a106de8212cc44f3e2
ac16f3e23516cf6b22830c399b4aba9706d37adceb5eb8ea9960f71f1425df79
68eb2d2d7866775d6bf106a914281491d23769a9eda88fc078328150b8432bb3
b670441066ff868d06c682e5167b9dbc85b5323f3acfbbc044cabc0e5a594186
9bdd7f965d1c67396afb0a84c78b4d12118ff377db7efdca4a1340933120f376
dd5d4cf9422b6e4514d49a3ec542cffb682be8a24079010cda689afbb44ac0f4
63096f288f49b25d50f4aea52dc1fc00871b3927fa2a81fa0b0d752b261a3059
a8ee0fafbd7b84417c0fb31709b2d9c25b2b8a16381b36756ca94609e2a6fcf6
5fc6f4cfb0d11e99c439a13b6c247ec3202a9a343df63576ce9f31cffcdbaf76
1472f5f559f90988f886d515f6d6c52e5d30283141ee2f13f92f7e1f7e6b8e9e
ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597
68eb2d2d7866775d6bf106a914281491d23769a9eda88fc078328150b8432bb3

IP addresses

185.138.164.18 185.172.129.215
45.144.29.2 23.106.122.192
45.90.59.131 149.28.200.140
193.42.36.53 45.63.89.250
190.211.254.181 142.44.236.38
37.120.238.107 95.216.196.181
162.55.38.44 116.203.132.32
49.12.212.231 193.42.39.10
193.111.153.24 178.32.222.98
23.227.202.72 159.89.163
50.201.185.11 47.35.60.92
108.26.193.165 108.56.142.135
198.12.81.56 198.12.127.199
45.91.93.75 217.25.93.106
45.146.164.193 89.40.10.25
5.45.65.52 79.141.160.43 (URL: izugz.envisting.xyz)

Bitcoin addresses

19kcqKevFZhiX7NFLa5wAw4JBjWLcpwp3e
1CG8RAqNaJCrmEdVLK7mm2mTuuK28dkzCU
151Ls8urp6e2D1oXjEQAkvqogSn3TS8pp6

Email address

ShingXuan7110@protonmail.com
scanjikoon@yahoo.com
alexeyberdin17@gmail.com (linked by SMS) titan_fall572cool@gmail.com
Vivopsalrozor@yahoo.com Gamarjoba@mail.com
back.shadow98@gmail.com (cookie linked) michael.shawn.brown2@gmail.com
Alexey_Berdin@list.ru sh0d44n@gmail.com
alexeyberdin437@gmail.com alexeyberdin38@gmail.com
alexeyberbi@gmail.com NA

Other Recommendations

  • Create backups of your systems at regular intervals
  • Also store these backups offline
  • Keep your systems up-to-date with current patches
  • Turn off unused external services
  • Only allow email attachments that are absolutely necessary
  • Only open trusted emails