Threat Research

Ransomware Roundup: Ragnar Locker Ransomware

By Shunichi Imano and James Slaughter | September 17, 2022

On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within the OSINT community and our datasets. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.

This latest edition of the Ransomware Roundup covers the Ragnar Locker ransomware.

Affected platforms: Microsoft Windows
Impacted parties: Microsoft Windows Users
Impact: Encrypts files on the compromised machine and demands ransom for file decryption
Severity level: High

Ragnar Locker Ransomware

Ragnar Locker is ransomware for Windows and Linux that exfiltrates information from a compromised machine, encrypts files using the Salsa20 encryption algorithm, and demands that victims pay a ransom to recover their data. The Ragnar Locker group is known to employ a double extortion tactic. The ransom payment is not only for recovering affected files but also to prevent releasing that stolen information to the public. This group also claims that victims who meet their financial demands will receive information on how the attacker was able to compromise them, along with recommendations for security improvement as a bonus.

In addition to encrypting data, the ransomware deletes volume shadow copies, inhibiting the victim’s ability to recover affected files. It also checks for services such as: vss, sql, veeam, logmein, etc., and terminates them if found.

While infection vectors of Ragnar Locker ransomware vary from victim to victim, compromising the victim’s network through RDP services exposed to the internet using brute forcing techniques and leaked credentials is believed to be one of the initial attack vectors. CVE-2017-0213 (Windows COM Elevation of Privilege Vulnerability) is then reportedly leveraged for privilege escalation and lateral movement.

While the exact number of Ragnar Locker victims has not been identified, at least 16 companies have been listed on its leak site so far this year. Victims’ locales include North America, Europe, and Asia.

Ragnar Locker’s preferred payment method is Bitcoin. They ask a victim to first transfer one Bitcoin to the attacker’s wallet, which is revealed during negotiation, to confirm the transaction worked. The group also asks its victims not to hire professional negotiators, threatening to leak any stolen information if they become aware of the presence of law enforcement. 

Figure 1. Payment Rules imposed by the Ragnar Locker group

The attacker promises to delete all stolen information after payment is made. Promises to delete backdoors left in a victim’s network are concerning, although they are supposedly removed. However, it would be unwise to trust any compromised systems afterward.

Figure 2. Actions allegedly taken by Ragnar Locker upon ransom payment

While some ransomware operators impose voluntary rules against targeting government, military organizations, healthcare providers (hospitals), and critical infrastructures such as powerplants and pipeline operators, the Ragnar Locker threat actor has no such aversion. It recently made the news for stealing 361GB of files from a natural gas provider in Greece and encrypting the organization’s files.

Ragnar Locker poses enough of a threat to critical industries and organizations that the FBI released a flash alert in March 2022 and revealed that over 50 organizations across multiple infrastructure sectors had been affected by the ransomware. The ransomware group was also a member of a “ransomware cartel” and teamed up with other infamous ransomware threat actors such as LockBit and now-defunct Maze.

The Ragnar Locker ransomware dates back to at least the end of December 2019. Since then, the group has made a number of changes that are visible in their ransom notes. 

Figure 3. Ragnar Locker ransom note from December 2019.

Figure 4: Ragnar Locker ransom note from August 2022.

One of the obvious differences is that the ransom note from 2019 only touches on the encryption of the victim’s files, whereas the recent ransom note not only claims the operator has encrypted files but also stolen information from the victim. Another significant difference is that while the victim was asked in earlier attacks to contact the attacker using the Tox Chat instant messaging platform, the recent ransom note includes links to an attacker’s Tor negotiation site and a hidden leak page specific to the victim.

Once the deadline for payment imposed by the Ragnar Locker threat actor passes, or if they feel the victim is not cooperating, the page will be available to anyone who has access to the leak site. The attacker also claims that victims of newer Ragnar Locker variants will receive a discount if contact is made within two days of the infection. In addition, the attacker includes links to Lightshot screenshots hosting pages where a victim can see a snippet of their stolen information as proof that they were indeed compromised.

The Ragnar Locker group operates a data leak site called “Wall of Shame” on Tor. Each leak page is unique to the victim and includes a description of the victim's company, the company address, revenue, and phone number. In most posts, the Ragnar Locker attacker also has choice words about the victim’s security posture, private policy, and handling of customer data.

In a recent posting, the attacker created a page for an alleged victim that includes a screenshot of partly masked stolen information that calls out how much a victim’s competitor paid in a class action lawsuit for a data breach incident.

The ransomware operator made another post a few days later for the same victim after not receiving any response. To put pressure on the victim, the threat actor published a portion of stolen data that allegedly included financial and personal information and internal communications. 

Figure 5. Second leak on a victim company

Again, after no response, the attacker opened a third page for the same victim and published additional files hoping the victim would bend. Interestingly, the attacker claims they had suffered a cyberattack themselves, which prevented them from posting the page earlier. 

Figure 6. Third leak page for the same victim opened by the Ragnar Locker threat actor

The attacker created yet another leak page after the victim did not make contact. This time, the attacker published files containing the personal information of the victim’s customers and threatened that additional information would be leaked daily until negotiation began.

Figure 7. Fourth leak page for an alleged victim opened by the Ragnar Locker attacker

Conclusion

The fact that the Ragnar Locker ransomware group has been active for close to three years and still shows no remorse for targeting critical industries and organizations makes them a more dangerous ransom threat actor than the others. While they label themselves as “pentesters,” they are always on the lookout for new victims for financial gain while shaming them for their alleged security weaknesses.

Fortinet Protection

Fortinet customers are already protected from these malware variants through FortiGuard’s Web Filtering, AntiVirus, FortiMail, FortiClient, and FortiEDR services, as follows:

FortiGuard Labs detects the known Ragnar Locker ransomware variants with the following AV signatures:

  • W32/RagnarLocker.A!tr.ransom
  • W32/RagnarLocker.4C9D!tr.ransom
  • W32/RagnarLocker.43B7!tr.ransom
  • W32/Ragnar.BA87F8F7!tr.ransom
  • W32/Filecoder_RagnarLocker.A!tr
  • W32/Filecoder.OAH!tr.ransom
  • W32/Filecoder.94BA!tr.ransom
  • W32/DelShad.GBT!tr.ransom
  • W32/Kryptik.HFMU!tr
  • W32/Generic.AP.23FB04!tr
  • W32/Deapax.K!tr.ransom
  • W32/Cryptor.A!tr.ransom
  • W32/Ramnit.A
  • PossibleThreat.PALLAS.H!tr.ransom
  • W32/PossibleThreat
  • MalwThreat!fb83IV
  • MalwThreat!ece0IV
  • MalwThreat!7aaeIV
  • MalwThreat!768cIV
  • MalwThreat!6591IV
  • MalwThreat!4ec0IV
  • MalwThreat!3703IV
  • MalwThreat!2946IV
  • MalwThreat!0786IV
  • MalwThreat!06deIV

FortiGuard Labs has the following IPS signature in place for CVE-2017-0213:

  • MS.Windows.COM.Type.Confusion.Privilege.Escalation

IOCs

  • d6a956684e7b3dc1e7c420b8ff2f8f3367f68cc5a7c440a8a2d8f78f1a59c859
  • ab2c3f3e1750b92273772624d2bbf1827bb066ac4b6e5fe7843c884f4d1dfae9
  • b6663af099538a396775273d79cb6fff99a18e2de2a8a2a106de8212cc44f3e2
  • edaddb4671a5ff6cc46b94b0d7fafefe6c623802b462c72cf039c8047ac35328
  • 1318f8a4566a50537f579d24fd1aabcf7e22e89bc75ffd13b3088fc6e80e9a2a
  • c86df3a8c050f430982dc8d4f4cc172ccc37478d1ba2646dc205bffe073484d1
  • b72beb391c75af52c6fb62561f26214b682f12d95660b128d9e21e18e3bff246
  • 46f7b205b0a143b60deb5ad38c042702ddaa18d0ee2954d3380ee302ed1484bc
  • f4277284fa71e81586e67fb5fe464c8cdacc0a2f588e3b80a814b41504a37156
  • 438f11a883070214ad063ddf043460ca54863c1f7bf1db64b6d0d474331c94f8
  • 2bcd2afd6bd3051681ee269beaf46cd20cc1a121e0c2328126e1b63fab6632f2
  • c5c2c382bb3fa555e2c311f8f53a99d62c576dfeeb8aff6ad46f73d8a0d2dd13
  • 4e8e84ad831cf251366b609720d6e3c6523fdd66ea0f989acb5d62e62e418cdf
  • 60620c93071bf5c5f2a024588f8e1d8a0a710d37fd12169cf7526e737934e449
  • 4a63daa8477d16abfcf564aa8ef1f4f68c5e4dbc09f65bd6ebb2f43d8a24ba3d
  • 2036f30ed21663586e62e67efec30c37bb91fb8bc9e1983f69f98f19242ed5cc
  • e7d3ab7cd88592858aaeeaeca61a486352d7ccecfb124bfa6a3725dc682a8201
  • ce33096639fb5c51684e9e3a7c7c7161884ecad29e8d6ad602fd8be42076b8d4
  • 98d91b550f5c6bfc2b7767985071d1dfa2e39780dc41b9d9d07e5117d58a8686
  • 0aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36
  • 6fd4ec6611bf7e691be80483bcf860e827d513df45e20d78f29cf4638b6c20e8
  • 4f0268288fb680fbabc48b09a87e828a6e18782516fa9b9bfc23acc2727f6ba9
  • f043f7156e1d678ac2c852c8f364aae93d895cae934d1ec42af13d175465913e
  • cf5ec678a2f836f859eb983eb633d529c25771b3b7505e74aa695b7ca00f9fa8
  • 3bc8ce79ee7043c9ad70698e3fc2013806244dc5112c8c8d465e96757b57b1e1
  • e1957024039b0e48a15c27448f19d4df4f0e4666f9ac34e7f4d42dd3c32e15ed
  • 041fd213326dd5c10a16caf88ff076bb98c68c052284430fba5f601023d39a14
  • 1602d04000a8c7221ed0d97d79f3157303e209d4640d31b8566dd52c2b09d033
  • 7af61ce420051640c50b0e73e718dd8c55dddfcb58917a3bead9d3ece2f3e929
  • c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6
  • dd5d4cf9422b6e4514d49a3ec542cffb682be8a24079010cda689afbb44ac0f4
  • 30dcc7a8ae98e52ee5547379048ca1fc90925e09a2a81c055021ba225c1d064c
  • b670441066ff868d06c682e5167b9dbc85b5323f3acfbbc044cabc0e5a594186
  • 1bf68d3d1b89e4f225c947442dc71a4793a3100465c95ae85ce6f7d987100ee1
  • 68eb2d2d7866775d6bf106a914281491d23769a9eda88fc078328150b8432bb3
  • 63096f288f49b25d50f4aea52dc1fc00871b3927fa2a81fa0b0d752b261a3059
  • ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597
  • 9bdd7f965d1c67396afb0a84c78b4d12118ff377db7efdca4a1340933120f376
  • 9706a97ffa43a0258571def8912dc2b8bf1ee207676052ad1b9c16ca9953fc2c
  • 91b1d3cbc797b08e8c72bc41ec5d1463cf21f7be07dffd1e3a7669f44968880b
  • 53df85f3250eb84f9c8b29731173d8cc9b4416744203b64edc76dd3b589d85c1
  • 6edc6154834951ffc012f575e2827da8e4aca4f67f24ef59a678e02dc40c9c91
  • 086c1455bb93b9901d955eb49ca225e6777cb0dde34176f392a30e2dfb16ed4c
  • 02741ad22a1ff8dfde095cfe5079c39f637d1dabe290b3da5ba44a8325cbf24c
  • 3c103850d13c9564b06087c9ad55ca2c1e2e9b9d063cb7a39d7a105f689f87a8
  • 303a8aefb1331b03abc13963bd10bd5765ac4a9ed1303bb4a4258b6b24571216
  • c85b211a9cf462aa88efe3db72ab5ab9ed91480355f1fd359d2680fdcb1b0c28
  • 9b32d05ae3c054020922b19c813c3353bd7871bbd7679ad11cb6dc50e2227c09
  • d333d5eb3fc8fdd2c18e65723400c2ab939988fae9802937af329bb6b3735720
  • 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151
  • b9779be12fec26d2cca507ad4092c05d8ece5e5111ff166d3a0a2871fbc7ccd8
  • 0766beb30c575fc68d1ca134bd53c086d2ce63b040e4d0bbd6d89d8c26ca04f6
  • 60233700ee64b9e5d054fa551688e8617328b194534a0fe645411685ce467128
  • dd79b2abc21e766fe3076038482ded43e5069a1af9e0ad29e06dce387bfae900
  • f668f74d8808f5658153ff3e6aee8653b6324ada70a4aa2034dfa20d96875836

FortiGuard Labs Guidance

Due to the ease of disruption, damage to daily operations, potential impact to an organization's reputation, and the unwanted destruction or release of personally identifiable information (PII), etc., it is vital to keep all AV and IPS signatures up to date.

Since the majority of ransomware is delivered via phishing, organizations should consider leveraging Fortinet solutions designed to train users to understand and detect phishing threats:

The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.

Our FREE NSE trainingNSE 1 – Information Security Awareness includes a module on internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks and can be easily added to internal training programs.

To effectively deal with the evolving and rapidly expanding risk of ransomware, many organizations will need to make foundational changes to the frequency, location, and security of their data backups. When coupled with potential digital supply chain compromise and a workforce telecommuting into the network, there is a real risk that attacks can come from anywhere. Cloud-based security solutions should all be investigated to minimize risk and reduce the impact of a successful ransomware attack. These include: SASE to protect off-network devices. Advanced endpoint security such as EDR (endpoint detection and response) solutions that can disrupt malware mid-attack. And Zero Trust Access and network segmentation strategies that restrict access to applications and resources based on policy and context

As part of the industry's leading fully integrated Security Fabric, delivering native synergy and automation across your security ecosystem, Fortinet also provides an extensive portfolio of technology and human-based as-a-service offerings. These services are powered by our global FortiGuard team of seasoned cybersecurity experts.

Best Practices include Not Paying a Ransom

Organizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom partly because payment does not guarantee that files will be recovered. According to a U.S. Department of Treasury's Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit activities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a Ransomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes Complaint Center (IC3).

How Fortinet Can Help

FortiGuard Labs’ Emergency Incident Response Service provides rapid and effective response when an incident is detected. And our Incident Readiness Subscription Service provides tools and guidance to help you better prepare for a cyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop exercises).

Learn more about Fortinet’s FortiGuard Labs threat research and global intelligence organization and Fortinet’s FortiGuard AI-powered Security Services portfolio. Sign up to receive our threat research blogs.