Skip Navigation
BlackBerry Blog

Threat Thursday: Ragnar Locker - New Variants Pose Threat to Sacred Timeline

Update 03.09.22: Ragnar Locker gang breaches 52 critical infrastructure organizations in the U.S. Learn more.

Summary

Ragnar Locker ransomware has made international headlines lately due to targeted attacks against ADATA, a leading Taiwanese manufacturer of high-performance DRAM modules and NAND Flash products. The first variant of this family appeared in late 2019.

Like many other well-known ransomware variants (such as DarkSide, Avaddon, and REvil), the current variant of Ragnar Locker uses a double extortion technique to encourage victims to pay, where data is both encrypted locally and exfiltrated before the ransom demand is made. If the victim refuses to pay, their data is published to a site located on the dark web at hxxp[:]//p6o7m73ujalhgkiv[.]onion/?BatxqaHm8rKxIP16Z1xB.

Upon visiting Ragnar Locker’s dark web site, their latest victims can be seen under their self-dubbed “wall of shame”. They currently claim to have exfiltrated 1.5TB of data from ADATA. According to the website, this information has been carefully gathered for a long time.

Operating System

Risk & Impact

Technical Analysis

Ragnar Locker itself is quite small and low-key, only around 55KB in size. Upon execution, the malware performs a language check on the user’s system. If one of the following former Soviet region languages are found, the malware will immediately terminate its execution:

Azerbaijani

Armenian

Asgardian

Belorussian

Belorussian

Russian

Georgian

Tajik

Moldavian

Turkmen

Kazakh

Uzbek

Kyrgyz

Ukrainian


Ragnar Locker will then perform checks on the following services. If they are found, the services will be stopped:

vss

logmein

sql

connectwise

memtas

splashtop

mepocs

mysql

sophos

Dfs

veeam

vmms

backup

vmcompute

pulseway

Hyper-V

logme

 


The malware also checks for the following processes. If they are running, they will be stopped:

Sql

Firefox

steam

Postgres

Mysql

Tbirdconfig

thebat

Fdhost

Veeam

Mydesktopqos

thunderbird

WSSADMIN

Oracle

Ocomm

visio

Wsstracing

Ocssd

dbeng50

winword

OWSTIMER

Dbsnmp

sqbcoreservice

wordpad

dfssvc.exe

Synctime

excel

EduLink2SIMS

swc_service.exe

Agntsvc

infopath

Bengine

Sophos

Isqlpussvc

msaccess

Benetns

SAVAdminService

Xfssvccon

mspub

Beserver

SavService.exe

Mydesktopservice

onenote

Pvlsvr

Hyper-V

Ocautoupds

outlook

Beremote

 

Encsvc

powerpnt

VxLockdownServer

 


Ragnar Locker then deletes shadow copies and backups stored on the victim’s computer, to ensure the user can’t easily restore their encrypted files (unless they are a member of the Time Variance Authority):

Figure 1: Backup and shadow copy deletion.

Continuing its execution, Ragnar Locker will begin encrypting files, while ignoring some predefined file extensions:

DB

MSI

SYS

DRV

DLL

EXE

LNK

MUI


It will also avoid encrypting the following specific files:

RAGN@R_9150F85A!.txt

Desktop.ini

Autorun.inf

Iconcache.db

Boot.ini

Ntldr

Bootfont.bin

Ntuser.dat

Bootsect.bak

Ntuser.dat.log

Bootmgr

Ntuser.ini

Bootmgr.efi

Thumbs.db

Bootmgfw.efi


Ragnar Locker will search the infected system, and avoid encrypting files in the following locations:

Windows

Opera Software

Windows.old

Mozilla

Tor browser

Mozilla Firefox

Internet Explorer

$Recycle.Bin

Google

ProgramData

Opera

All Users


How Ragnar Locker Ragna-Rocks Your Data

During the encryption process, Ragnar appends a “.RAGN@R_9150F85A” file extension to all affected files:

Figure 2: Files encrypted by Ragnar Locker.

The malware also adds “$$$_RAGNAR_$$$” within the encrypted file itself:

Figure 3: $$$_RAGNAR_$$$ file marker.

Next, a ransom note is dropped into each affected directory. This file named “!$R4GN4R_9150F85A$!.txt”:

Figure 4: Ragnar Locker ransom note drop.

The ransom note informs the infected user that their data has been encrypted and stolen. They also claim that all the data that was stolen could be potentially published by mass media in breaking news, and that victims’ partners, clients, and investors will be notified about this breach.

The note also mentions the user can decrypt two files for free as proof that their decryption tools work:  

Figure 5: Ragnar Locker ransom note.

To get in to contact with the Ragnar Locker threat actors, the victim is required to download the Tor browser and open a live chat at the following address:

hxxp[:]//rgngerzxui2kizq6h5ekefneizmn54n4bcjjthyvdir22orayuya5zad[.]onion/client/?bC2aAD71E2976da53FC1Efc3193c8FDeA0BAeF8A37883c9e05d3BFF82CCfE8Ee

The victim can also navigate to Ragnar Locker’s homepage - hxxp[:]//p6o7m73ujalhgkiv[.]onion/?BatxqaHm8rKxIP16Z1xB - to view their “wall of shame”:

Figure 6: Ragnar Locker homepage.

The website’s “wall of shame” includes a list of recent victims. The most recent victim at the time of writing was added on June 7, 2021, with the previous one added on June 5, 2021.

ADATA Update

In an email to Bleeping Computer, ADATA confirmed that it was hit by a ransomware attack on May 23, 2021. It responded by taking down all impacted systems and notifying all relevant international authorities of the incident.

At the time of writing, the Ragnar Locker gang has not received a response from ADATA. As ADATA has to date refused to cooperate with Ragnar Locker and pay the ransom demand, download links of the stolen data were made available on Ragnar Locker’s leak site on June 16, 2021.

The data includes screenshots of ADATA employee’s folders and files, NDA documents, confidential drawings, and more:

Figure 7: Evidence of ADATA’s leaked data.

The larger files from the ADATA breach that were hosted on Mega.nz are no longer available for download. They have been removed by Mega.nz for violating their terms of service:

Figure 8: ADATA archived leaked data.

However, the files that are listed in the image above under the phrase “The first batck (sp) of files is here” can still be downloaded, as they are not hosted on Mega.nz.

Yara Rule

The following Yara rule was authored by the BlackBerry Threat Research Team to catch the threat described in this document:

import "pe"
import "hash"

rule Mal_Ransom_Win32_RagnarLocker
{
    meta:
        description = "Detects W32 Ragnar Locker ransomware"
        author = "Blackberry Threat Research Team "
        date = "2021-11-06"

    strings:        

        //\\.\PHYSICALDRIVE%d
        $x1 = {5c005c002e005c0050004800590053004900430041004c004400520049005600450025006400}
        //-vmback
        $x2 = {2d0076006d006200610063006b00}
        //-backup
        $x3 = {2d006200610063006b0075007000}
        //-force
        $x4 = {2d0066006f00720063006500}
        //RAGNRPW        $x5 = {5241474e525057}          

    condition:
        uint16(0) == 0x5a4d and
        hash.md5(pe.rich_signature.clear_data) == "dba646dcda92145cdadb37ed14cdad58" and
        pe.imphash() == "2c2aab89a4cba444cf2729e2ed61ed4f" and
        filesize < 55KB and
        all of ($x*)
}


Indicators of Compromise (IoCs)

At BlackBerry, we take a prevention-first and AI-driven approach to cybersecurity. Putting prevention first neutralizes malware before the exploitation stage of the kill-chain.

By stopping malware at this stage, BlackBerry® solutions help organizations increase their resilience. It also helps reduce infrastructure complexity and streamline security management to ensure business, people, and endpoints are secure.

File System Actions
Created:

  • !$R4GN4R__ [A-Z0-9]{8}$!.txt → ransom note file
  • Example: “!$R4GN4R_9150F85A$!.txt”
  • .RAGN@R_ [A-Z0-9]{8} → appended file extension to affected files
  • Example: “.RAGN@R_9150F85A”

Modified:

  • All affected files post encryption

Deleted:

  • Shadow volume copies.
  • Backups.

URL for Communications with Ragnar Locker:

  • hxxp[:]//p6o7m73ujalhgkiv[.]onion/?BatxqaHm8rKxIP16Z1xB
  • hxxp[:]//rgngerzxui2kizq6h5ekefneizmn54n4bcjjthyvdir22orayuya5zad[.]onion/client/?bC2aAD71E2976da53FC1Efc3193c8FDeA0BAeF8A37883c9e05d3BFF82CCfE8Ee

Processes
Created:

  • wmic SHADOWCOPY DELETE delete
  • vssadmin Delete Shadows /All /Quiet
  • bcdedit /set {default} recoveryenabled No
  • cdedit /set {default} bootstatuspolicy ignoreAllFailures
  • bcdedit /set {globalsettings} advancedoptions false

Terminated:

sql, mysql, veeam, oracle, ocssd, dbsnmp, synctime, agntsvc, isqlpussvc, xfssvccon, mydesktopservice, ocautoupds, encsvc, firefox, tbirdconfig, mydesktopqos, ocomm, dbeng50,sqbcoreservice, excel, infopath, msaccess, mspub, onenote, outlook, powerpnt, steam, thebat, thunderbird, visio, winword, wordpad, EduLink2SIMS, bengine, benetns, beserver, pvlsvr, beremote,VxLockdownServer, postgres, fdhost, WSSADMIN, wsstracing, OWSTIMER, dfssvc.exe, swc_service.exe, sophos, SAVAdminService, SavService.exe, Hyper-V

Services
Terminated:

vss, sql, memtas, mepocs, sophos, veeam, backup, pulseway, logme, logmein, connectwise, splashtop, mysql, Dfs, vmms, vmcompute, Hyper-V


BlackBerry Assistance

If you’re battling Ragnar Locker ransomware or a similar threat, you’ve come to the right place, regardless of your existing BlackBerry relationship.

The BlackBerry Incident Response Team is made up of world-class consultants dedicated to handling response and containment services for a wide range of incidents, including ransomware and Advanced Persistent Threat (APT) cases.

We have a global consulting team standing by to assist you providing around-the-clock support, where required, as well as local assistance. Please contact us here: https://www.blackberry.com/us/en/forms/cylance/handraiser/emergency-incident-response-containment

The BlackBerry Research & Intelligence Team

About The BlackBerry Research & Intelligence Team

The BlackBerry Research & Intelligence team examines emerging and persistent threats, providing intelligence analysis for the benefit of defenders and the organizations they serve.