FANDOM


Ragnar Locker is a ransomware that runs on Microsoft Windows. It specifically targets software commonly used by managed service providers to prevent their attack from being detected and stopped. It is aimed at English-speaking users.

Attackers first began using the Ragnar Locker ransomware towards the end of December 2019 as part of attacks against compromised networks.

Payload

When the attackers first compromise a network, they will perform reconnaissance and pre-deployment tasks before executing the ransomware.

According to the attackers, one of these pre-deployment tasks is to first steal a victim's files and upload it to their servers. They then tell the victim that they will release the files publicly if a ransom is not paid.

It would enumerate all of the running Windows services on the victim's computer and if any of the services contain certain strings, the ransomware would stop the service.

Below is the list of targeted strings:

vss
sql
memtas
mepocs
sophos
veeam
backup
pulseway
logme
logmein
connectwise
splashtop
kaseya

Terminating processes and disabling services is a common tactic used by ransomware to disable security software and backup software and stop database and mail servers so that their data can be encrypted.

When first started, Ragnar Locker will check the configured Windows language preferences and if they are set as one of the former USSR countries, will terminate the process and not encrypt the computer.

If the victim passes this check, the ransomware will stop various Windows services as explained in the previous section. Ragnar Locker will begin to encrypt the files on the computer.

When encrypting files, it will skip files in the following folders, file names, and extensions:

kernel32.dll
Windows
Windows.old
Tor browser
Internet Explorer
Google
Opera
Opera Software
Mozilla
Mozilla Firefox
$Recycle.Bin
ProgramData
All Users
autorun.inf
boot.ini
bootfont.bin
bootsect.bak
bootmgr
bootmgr.efi
bootmgfw.efi
desktop.ini
iconcache.db
ntldr
ntuser.dat
ntuser.dat.log
ntuser.ini
thumbs.db
.sys
.dll
.lnk
.msi
.drv
.exe

For each encrypted file, a preconfigured extension like .ragnar_22015ABC is appended to the file's name. The 'RAGNAR' file marker will also be added to the end of every encrypted file.

Finally, a ransom note named .RGNR_[extension].txt will be created that contains information on what happened to the victim's files, a ransom amount, a bitcoin payment address, a TOX chat ID to communicate with the attackers, and a backup email address if TOX does not work. The ransom note states the following:

                                              Hello xxx !

*************************************************************************
****************************************

 If you reading this message, then your network was PENETRATED and all of 
your files and data has been ENCRYPTED
                             
                                              by RAGNAR_LOCKER !

*************************************************************************
****************************************

*********What happens with your system ?************

Your network was penetrated, all your files and backups was locked! So 
from now there is NO ONE CAN HELP YOU to get your files back, EXCEPT US.
You can google it, there is no CHANCES to decrypt data without our SECRET 
KEY.

But don't worry ! Your files are NOT DAMAGED or LOST, they are just 
MODIFIED. You can get it BACK as soon as you PAY.
We are looking only for MONEY, so there is no interest for us to steel or 
delete your information, it's just a BUSINESS $-)

HOWEVER you can damage your DATA by yourself if you try to DECRYPT by any 
other software, without OUR SPECIFIC ENCRYPTION KEY !!!

Also, all of your sensitive and private information were gathered and if 
you decide NOT to pay,
we will upload it for public view !

****

***********How to get back your files ?******

To decrypt all your files and data you have to pay for the encryption KEY 
:

BTC wallet for payment: xxx
Amount to pay (in Bitcoin): 60

****

***********How much time you have to pay?**********

* You should get in contact with us within 2 days after you noticed the 
encryption to get a better price.

* The price would be increased by 100% (double price) after 14 Days if 
there is no contact made.
 
* The key would be completely erased in 21 day if there is no contact 
made or no deal made. 
Some sensetive information stolen from the file servers would be uploaded 
in public or to re-seller.

****

***********What if files can't be restored ?******

To prove that we really can decrypt your data, we will decrypt one of 
your locked files ! 
Just send it to us and you will get it back FOR FREE.

The price for the decryptor is based on the network size, number of 
employees, annual revenue. 
Please feel free to contact us for amount of BTC that should be paid.

****

! IF you don't know how to get bitcoins, we will give you advise how to 
exchange the money.


!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! HERE IS THE SIMPLE MANUAL HOW TO GET CONTCAT WITH US !
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

1) Go to the official website of TOX messenger ( 
https://tox.chat/download.html )

2) Download and install qTOX on your PC, choose the platform ( Windows, 
OS X, Linux, etc. )

3) Open messenger, click "New Profile" and create profile.

4) Click "Add friends" button and search our contact xxx

5) For identification, send to our support data from ---RAGNAR SECRET---

IMPORTANT ! IF for some reasons you CAN'T CONTACT us in qTOX, here is our 
reserve mailbox ( hello_psecu@protonmail.com ) send a message with a data 
from ---RAGNAR SECRET---



WARNING!

-Do not try to decrypt files with any third-party software (it will be 
damaged permanently)
-Do not reinstall your OS, this can lead to complete data loss and files 
cannot be decrypted. NEVER!
-Your SECRET KEY for decryption is on our server, but it will not be 
stored forever. DO NOT WASTE TIME ! 


*************************************************************************
**********

---RAGNAR SECRET---
xxx
---RAGNAR SECRET---

*************************************************************************
**********
Community content is available under CC-BY-SA unless otherwise noted.