www.itfunk.orgwww.itfunk.orgwww.itfunk.org
  • Home
  • Tech News
    Tech NewsShow More
    The Hidden Sabotage: How Malicious Go Modules Quietly Crashed Linux Systems
    6 Min Read
    Agentic AI: The Next Frontier in Cybersecurity Defense and Risk​
    5 Min Read
    Cybersecurity CEO Arrested for Allegedly Installing Malware on Hospital Computers: A Stark Reminder of Insider Threats
    8 Min Read
    Cybercriminals Hijack Google’s Reputation
    7 Min Read
    Apple and Google Join Forces to Patch Actively Exploited Zero-Day Vulnerabilities in iOS and macOS
    5 Min Read
  • Cyber Threats
    • Malware
    • Ransomware
    • Trojans
    • Adware
    • Browser Hijackers
    • Mac Malware
    • Android Threats
    • iPhone Threats
    • Potentially Unwanted Programs (PUPs)
    • Online Scams
  • How To Guides
    How To GuidesShow More
    Nviqri Someq Utils Unwanted Application
    4 Min Read
    How to Deal With Rbx.fund Scam
    4 Min Read
    How to Jailbreak DeepSeek: Unlocking AI Without Restrictions
    4 Min Read
    Why Streaming Services Geo-Restrict Content?
    10 Min Read
    Anonymous France Ransomware: A Comprehensive Guide
    9 Min Read
  • Product Reviews
    • Hardware
    • Software
  • IT/Cybersecurity Best Practices
    IT/Cybersecurity Best PracticesShow More
    Affordable Endpoint Protection Platforms (EPP) for Small Businesses
    5 Min Read
    Outlaw Malware: A Persistent Threat Exploiting Linux Servers
    4 Min Read
    CVE-2024-48248: Critical NAKIVO Backup & Replication Flaw Actively Exploited—Patch Immediately
    6 Min Read
    How to Jailbreak DeepSeek: Unlocking AI Without Restrictions
    4 Min Read
    Microsoft Patches Critical Security Flaws in Azure AI Face Service and Microsoft Account
    5 Min Read
  • FREE SCAN
  • Cybersecurity for Business
Search
  • ABOUT US
  • TERMS AND SERVICES
  • SITEMAP
  • CONTACT US
© 2023 ITFunk.org. All Rights Reserved.
Reading: Ragnar Locker ransomware targets the Remote Management Software used by Managed Service Providers 
Share
Notification Show More
Font ResizerAa
www.itfunk.orgwww.itfunk.org
Font ResizerAa
  • Tech News
  • How To Guides
  • Cyber Threats
  • Product Reviews
  • Cybersecurity for Business
  • Free Scan
Search
  • Home
  • Tech News
  • Cyber Threats
    • Malware
    • Ransomware
    • Trojans
    • Adware
    • Browser Hijackers
    • Mac Malware
    • Android Threats
    • iPhone Threats
    • Potentially Unwanted Programs (PUPs)
    • Online Scams
  • How To Guides
  • Product Reviews
    • Hardware
    • Software
  • IT/Cybersecurity Best Practices
  • Cybersecurity for Business
  • FREE SCAN
Follow US
  • ABOUT US
  • TERMS AND SERVICES
  • SITEMAP
  • CONTACT US
© 2023 ITFunk.org All Rights Reserved.
www.itfunk.org > Blog > Cyber Threats > Ransomware > Ragnar Locker ransomware targets the Remote Management Software used by Managed Service Providers 
Ransomware

Ragnar Locker ransomware targets the Remote Management Software used by Managed Service Providers 

ITFunk Research
Last updated: October 24, 2023 4:35 pm
ITFunk Research
Share
Ragnar Locker ransomware targets the Remote Management Software used by Managed Service Providers
SHARE

Ragnar Locker targets software commonly used by managed service providers to prevent their attack from being detected. Hackers were first discovered using the Ragnar Locker ransomware towards the end of December 2019 as part of an attack against compromised networks. Ragnar Locker ransomware is a data-encrypting Trojan that appears to target businesses specifically. As ransomware attacks increase in popularity, it seems that continuously more file-locking Trojans are being deployed.

Contents
Propagation and EncryptionThe Ragnar Locker Encryption Process

Propagation and Encryption

The authors of the Ragnar Locker likely deploy the threat manually on already compromised systems. This proves that this is a more complex operation than most ransomware propagation campaigns. Before launching Ragnar Locker ransomware, the attackers insert a module capable of gathering information that is of interest from the infected machines. The authors of the ransomware state that unless the victim complies with their demands, all their important data will be leaked online. As of now, malware researchers cannot confirm whether the creators of the Ragnar Locker ransomware gather data from the compromised hosts or whether they are using social engineering. 

Ragnar Locker ransomware uses an encryption algorithm to lock all the targeted data. Upon locking a file, the threat will append a new extension to its name ‘.ragnar_.’ Every affected user will have a uniquely generated victim ID, which contains numbers and uppercase letters. Ragnar Locker ransomware is capable of spotting any processes linked to commonly used remote desktop applications. If any are detected, the Ragnar Locker ransomware will attempt to shut them down. This makes it problematic for the victim to seek remote help.

Terminating processes and disabling services are typical schemes used by ransomware to disable security software and backup software and stifle database and mail servers so that their data can be easily encrypted. What has not been witnessed in other well-known ransomware previously, however, is that Ragnar Locker specifically targets remote management software (RMM) commonly used by managed service providers (MSPs), including the popular ConnectWise and Kaseya software platforms. An MSP uses these applications in providing remote support to their clients. 

The Ragnar Locker Encryption Process

According to Head of Sentinel Labs, Vitali Kremez, who has analyzed the ransomware, when initiated, Ragnar Locker will review the configured Windows language preferences. If the Windows language preferences show one of the countries that were part of the USSR, Ragnar Locker will terminate its process and not encrypt the machine. If the infected user passes this review, the ransomware will stop several Windows services and start to encrypt the files on the machine.

For each encrypted file, a preconfigured extension similar to ‘.ragnar_22015ABC’ is appended to the file’s name. Also, the ‘RAGNAR’ file marker will be attached to the end of every file that has been encrypted. Ultimately, a ransom message named ‘.RGNR_[extension].txt’ will be generated with more information on the attack, a ransom amount, a Bitcoin payment address and a TOX chat ID to communicate with the attackers. 

You Might Also Like

GovCrypt Ransomware
BackLock Ransomware (.backlock)
ITSA Ransomware
RALEIGHRAD Ransomware
LegionRoot Ransomware
TAGGED:RagnarRansomware

Sign Up For Daily Newsletter

Be keep up! Get the latest breaking news delivered straight to your inbox.
By signing up, you agree to our Terms of Use and acknowledge the data practices in our Privacy Policy. You may unsubscribe at any time.
Share This Article
Facebook Copy Link Print
Share
Previous Article IcedID banking trojan tricks users with COVID-19 & FMLA (Family and Medical Leave Act) phishing emails
Next Article Netwalker Ransomware takes on a research institution working on a Coronavirus Cure 
Leave a Comment

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Think You're Infected? Let's Find Out – FAST.
SpyHunter identifies viruses, ransomware, and hidden threats in under a minute.
🛡️ Scan Your Device for Free
✅ Free Scan Available • ⭐ Catches malware instantly
//

Check in Daily for the best technology and Cybersecurity based content on the internet.

Quick Link

  • ABOUT US
  • TERMS AND SERVICES
  • SITEMAP
  • CONTACT US

Support

Sign Up for Our Newesletter

Subscribe to our newsletter to get our newest articles instantly!

 

www.itfunk.orgwww.itfunk.org
© 2023 www.itfunk.org. All Rights Reserved.
  • ABOUT US
  • TERMS AND SERVICES
  • SITEMAP
  • CONTACT US
Welcome Back!

Sign in to your account

Username or Email Address
Password

Lost your password?