Ragnar Locker targets software commonly used by managed service providers to prevent their attack from being detected. Hackers were first discovered using the Ragnar Locker ransomware towards the end of December 2019 as part of an attack against compromised networks. Ragnar Locker ransomware is a data-encrypting Trojan that appears to target businesses specifically. As ransomware attacks increase in popularity, it seems that continuously more file-locking Trojans are being deployed.
Propagation and Encryption
The authors of the Ragnar Locker likely deploy the threat manually on already compromised systems. This proves that this is a more complex operation than most ransomware propagation campaigns. Before launching Ragnar Locker ransomware, the attackers insert a module capable of gathering information that is of interest from the infected machines. The authors of the ransomware state that unless the victim complies with their demands, all their important data will be leaked online. As of now, malware researchers cannot confirm whether the creators of the Ragnar Locker ransomware gather data from the compromised hosts or whether they are using social engineering.
Ragnar Locker ransomware uses an encryption algorithm to lock all the targeted data. Upon locking a file, the threat will append a new extension to its name ‘.ragnar_.’ Every affected user will have a uniquely generated victim ID, which contains numbers and uppercase letters. Ragnar Locker ransomware is capable of spotting any processes linked to commonly used remote desktop applications. If any are detected, the Ragnar Locker ransomware will attempt to shut them down. This makes it problematic for the victim to seek remote help.
Terminating processes and disabling services are typical schemes used by ransomware to disable security software and backup software and stifle database and mail servers so that their data can be easily encrypted. What has not been witnessed in other well-known ransomware previously, however, is that Ragnar Locker specifically targets remote management software (RMM) commonly used by managed service providers (MSPs), including the popular ConnectWise and Kaseya software platforms. An MSP uses these applications in providing remote support to their clients.
The Ragnar Locker Encryption Process
According to Head of Sentinel Labs, Vitali Kremez, who has analyzed the ransomware, when initiated, Ragnar Locker will review the configured Windows language preferences. If the Windows language preferences show one of the countries that were part of the USSR, Ragnar Locker will terminate its process and not encrypt the machine. If the infected user passes this review, the ransomware will stop several Windows services and start to encrypt the files on the machine.
For each encrypted file, a preconfigured extension similar to ‘.ragnar_22015ABC’ is appended to the file’s name. Also, the ‘RAGNAR’ file marker will be attached to the end of every file that has been encrypted. Ultimately, a ransom message named ‘.RGNR_[extension].txt’ will be generated with more information on the attack, a ransom amount, a Bitcoin payment address and a TOX chat ID to communicate with the attackers.