Threat Thursday: Ragnar Locker - New Variants Pose Threat to Sacred Timeline

CYBERSECURITY / 07.01.21 / The BlackBerry Research and Intelligence Team

Update 03.09.22: Ragnar Locker gang breaches 52 critical infrastructure organizations in the U.S. Learn more.

Summary

Ragnar Locker ransomware has made international headlines lately due to targeted attacks against ADATA, a leading Taiwanese manufacturer of high-performance DRAM modules and NAND Flash products. The first variant of this family appeared in late 2019.

Like many other well-known ransomware variants (such as DarkSide, Avaddon, and REvil), the current variant of Ragnar Locker uses a double extortion technique to encourage victims to pay, where data is both encrypted locally and exfiltrated before the ransom demand is made. If the victim refuses to pay, their data is published to a site located on the dark web at hxxp[:]//p6o7m73ujalhgkiv[.]onion/?BatxqaHm8rKxIP16Z1xB.

Upon visiting Ragnar Locker’s dark web site, their latest victims can be seen under their self-dubbed “wall of shame”. They currently claim to have exfiltrated 1.5TB of data from ADATA. According to the website, this information has been carefully gathered for a long time.

Operating System

Risk & Impact

Technical Analysis

Ragnar Locker itself is quite small and low-key, only around 55KB in size. Upon execution, the malware performs a language check on the user’s system. If one of the following former Soviet region languages are found, the malware will immediately terminate its execution:

Azerbaijani	Armenian
Asgardian	Belorussian
Belorussian	Russian
Georgian	Tajik
Moldavian	Turkmen
Kazakh	Uzbek
Kyrgyz	Ukrainian

Ragnar Locker will then perform checks on the following services. If they are found, the services will be stopped:

vss	logmein
sql	connectwise
memtas	splashtop
mepocs	mysql
sophos	Dfs
veeam	vmms
backup	vmcompute
pulseway	Hyper-V
logme

The malware also checks for the following processes. If they are running, they will be stopped:

Sql	Firefox	steam	Postgres
Mysql	Tbirdconfig	thebat	Fdhost
Veeam	Mydesktopqos	thunderbird	WSSADMIN
Oracle	Ocomm	visio	Wsstracing
Ocssd	dbeng50	winword	OWSTIMER
Dbsnmp	sqbcoreservice	wordpad	dfssvc.exe
Synctime	excel	EduLink2SIMS	swc_service.exe
Agntsvc	infopath	Bengine	Sophos
Isqlpussvc	msaccess	Benetns	SAVAdminService
Xfssvccon	mspub	Beserver	SavService.exe
Mydesktopservice	onenote	Pvlsvr	Hyper-V
Ocautoupds	outlook	Beremote
Encsvc	powerpnt	VxLockdownServer

Ragnar Locker then deletes shadow copies and backups stored on the victim’s computer, to ensure the user can’t easily restore their encrypted files (unless they are a member of the Time Variance Authority):

Figure 1: Backup and shadow copy deletion.

Continuing its execution, Ragnar Locker will begin encrypting files, while ignoring some predefined file extensions:

DB	MSI
SYS	DRV
DLL	EXE
LNK	MUI

It will also avoid encrypting the following specific files:

RAGN@R_9150F85A!.txt	Desktop.ini
Autorun.inf	Iconcache.db
Boot.ini	Ntldr
Bootfont.bin	Ntuser.dat
Bootsect.bak	Ntuser.dat.log
Bootmgr	Ntuser.ini
Bootmgr.efi	Thumbs.db
Bootmgfw.efi

Ragnar Locker will search the infected system, and avoid encrypting files in the following locations:

Windows	Opera Software
Windows.old	Mozilla
Tor browser	Mozilla Firefox
Internet Explorer	$Recycle.Bin
Google	ProgramData
Opera	All Users

How Ragnar Locker Ragna-Rocks Your Data

During the encryption process, Ragnar appends a “.RAGN@R_9150F85A” file extension to all affected files:

Figure 2: Files encrypted by Ragnar Locker.

The malware also adds “$$$_RAGNAR_$$$” within the encrypted file itself:

Figure 3: $$$_RAGNAR_$$$ file marker.

Next, a ransom note is dropped into each affected directory. This file named “!$R4GN4R_9150F85A$!.txt”:

Figure 4: Ragnar Locker ransom note drop.

The ransom note informs the infected user that their data has been encrypted and stolen. They also claim that all the data that was stolen could be potentially published by mass media in breaking news, and that victims’ partners, clients, and investors will be notified about this breach.

The note also mentions the user can decrypt two files for free as proof that their decryption tools work:

Figure 5: Ragnar Locker ransom note.

To get in to contact with the Ragnar Locker threat actors, the victim is required to download the Tor browser and open a live chat at the following address:

hxxp[:]//rgngerzxui2kizq6h5ekefneizmn54n4bcjjthyvdir22orayuya5zad[.]onion/client/?bC2aAD71E2976da53FC1Efc3193c8FDeA0BAeF8A37883c9e05d3BFF82CCfE8Ee

The victim can also navigate to Ragnar Locker’s homepage - hxxp[:]//p6o7m73ujalhgkiv[.]onion/?BatxqaHm8rKxIP16Z1xB - to view their “wall of shame”:

Figure 6: Ragnar Locker homepage.

The website’s “wall of shame” includes a list of recent victims. The most recent victim at the time of writing was added on June 7, 2021, with the previous one added on June 5, 2021.

ADATA Update

In an email to Bleeping Computer, ADATA confirmed that it was hit by a ransomware attack on May 23, 2021. It responded by taking down all impacted systems and notifying all relevant international authorities of the incident.

At the time of writing, the Ragnar Locker gang has not received a response from ADATA. As ADATA has to date refused to cooperate with Ragnar Locker and pay the ransom demand, download links of the stolen data were made available on Ragnar Locker’s leak site on June 16, 2021.

The data includes screenshots of ADATA employee’s folders and files, NDA documents, confidential drawings, and more:

Figure 7: Evidence of ADATA’s leaked data.

The larger files from the ADATA breach that were hosted on Mega.nz are no longer available for download. They have been removed by Mega.nz for violating their terms of service:

Figure 8: ADATA archived leaked data.

However, the files that are listed in the image above under the phrase “The first batck (sp) of files is here” can still be downloaded, as they are not hosted on Mega.nz.

Yara Rule

The following Yara rule was authored by the BlackBerry Threat Research Team to catch the threat described in this document:

import "pe"
import "hash"

rule Mal_Ransom_Win32_RagnarLocker
{
    meta:
        description = "Detects W32 Ragnar Locker ransomware"
        author = "Blackberry Threat Research Team "
        date = "2021-11-06"

strings:

        //\\.\PHYSICALDRIVE%d
        $x1 = {5c005c002e005c0050004800590053004900430041004c004400520049005600450025006400}
        //-vmback
        $x2 = {2d0076006d006200610063006b00}
        //-backup
        $x3 = {2d006200610063006b0075007000}
        //-force
        $x4 = {2d0066006f00720063006500}
        //RAGNRPW        $x5 = {5241474e525057}

    condition:
        uint16(0) == 0x5a4d and
        hash.md5(pe.rich_signature.clear_data) == "dba646dcda92145cdadb37ed14cdad58" and
        pe.imphash() == "2c2aab89a4cba444cf2729e2ed61ed4f" and
        filesize < 55KB and
        all of ($x*)
}

Indicators of Compromise (IoCs)

At BlackBerry, we take a prevention-first and AI-driven approach to cybersecurity. Putting prevention first neutralizes malware before the exploitation stage of the kill-chain.

By stopping malware at this stage, BlackBerry® solutions help organizations increase their resilience. It also helps reduce infrastructure complexity and streamline security management to ensure business, people, and endpoints are secure.

File System Actions
Created:

!$R4GN4R__ [A-Z0-9]{8}$!.txt → ransom note file
Example: “!$R4GN4R_9150F85A$!.txt”
.RAGN@R_ [A-Z0-9]{8} → appended file extension to affected files
Example: “.RAGN@R_9150F85A”

Modified:

All affected files post encryption

Deleted:

Shadow volume copies.
Backups.

URL for Communications with Ragnar Locker:

hxxp[:]//p6o7m73ujalhgkiv[.]onion/?BatxqaHm8rKxIP16Z1xB
hxxp[:]//rgngerzxui2kizq6h5ekefneizmn54n4bcjjthyvdir22orayuya5zad[.]onion/client/?bC2aAD71E2976da53FC1Efc3193c8FDeA0BAeF8A37883c9e05d3BFF82CCfE8Ee

Processes
Created:

wmic SHADOWCOPY DELETE delete
vssadmin Delete Shadows /All /Quiet
bcdedit /set {default} recoveryenabled No
cdedit /set {default} bootstatuspolicy ignoreAllFailures
bcdedit /set {globalsettings} advancedoptions false

Terminated:

sql, mysql, veeam, oracle, ocssd, dbsnmp, synctime, agntsvc, isqlpussvc, xfssvccon, mydesktopservice, ocautoupds, encsvc, firefox, tbirdconfig, mydesktopqos, ocomm, dbeng50,sqbcoreservice, excel, infopath, msaccess, mspub, onenote, outlook, powerpnt, steam, thebat, thunderbird, visio, winword, wordpad, EduLink2SIMS, bengine, benetns, beserver, pvlsvr, beremote,VxLockdownServer, postgres, fdhost, WSSADMIN, wsstracing, OWSTIMER, dfssvc.exe, swc_service.exe, sophos, SAVAdminService, SavService.exe, Hyper-V

Services
Terminated:

vss, sql, memtas, mepocs, sophos, veeam, backup, pulseway, logme, logmein, connectwise, splashtop, mysql, Dfs, vmms, vmcompute, Hyper-V

BlackBerry Assistance

If you’re battling Ragnar Locker ransomware or a similar threat, you’ve come to the right place, regardless of your existing BlackBerry relationship.

The BlackBerry Incident Response Team is made up of world-class consultants dedicated to handling response and containment services for a wide range of incidents, including ransomware and Advanced Persistent Threat (APT) cases.

We have a global consulting team standing by to assist you providing around-the-clock support, where required, as well as local assistance. Please contact us here: https://www.blackberry.com/us/en/forms/cylance/handraiser/emergency-incident-response-containment

About The BlackBerry Research and Intelligence Team

The BlackBerry Research and Intelligence team is a highly experienced threat research group specializing in a wide range of cybersecurity disciplines, conducting continuous threat hunting to provide comprehensive insights into emerging threats. We analyze and address various attack vectors, leveraging our deep expertise in the cyberthreat landscape to develop proactive strategies that safeguard against adversaries.

Whether it's identifying new vulnerabilities or staying ahead of sophisticated attack tactics, we are dedicated to securing your digital assets with cutting-edge research and innovative solutions.

Back