SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ragnarlocker (Back to overview)

RagnarLocker

VTCollection    

There is no description at this point.

References
2023-12-22PRODAFTPRODAFT
Smoke and Mirrors: Understanding The Workings of Wazawaka
Conti Monti Babuk Hive LockBit RagnarLocker Trigona
2023-10-20TechCrunchCarly Page
Authorities confirm RagnarLocker ransomware taken down during international sting
RagnarLocker RagnarLocker
2023-03-30United States District Court (Eastern District of New York)Fortra, HEALTH-ISAC, Microsoft
Cracked Cobalt Strike (1:23-cv-02447)
Black Basta BlackCat LockBit RagnarLocker LockBit Black Basta BlackCat Cobalt Strike Cuba Emotet LockBit Mount Locker PLAY QakBot RagnarLocker Royal Ransom Zloader
2022-06-23KasperskyDanila Nasonov, Natalya Shornikova, Nikita Nazarov, Vasily Davydov, Vladislav Burtsev
The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)
BlackByte BlackCat Clop Conti Hive LockBit Mespinoza RagnarLocker
2022-05-05Intel 471Intel 471
Cybercrime loves company: Conti cooperated with other ransomware gangs
LockBit Maze RagnarLocker Ryuk
2022-05-01BushidoTokenBushidoToken
Gamer Cheater Hacker Spy
Egregor HelloKitty NetfilterRootkit RagnarLocker Winnti
2022-03-17SophosTilly Travers
The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2022-03-09The RegisterJessica Lyons Hardcastle
Ragnar ransomware gang hit 52 critical US orgs, says FBI
RagnarLocker
2022-03-09CywareCyware
Ragnar Locker Breached 52 Organizations and Counting, FBI Warns
RagnarLocker
2022-03-07FBIFBI
FBI Flash CU-000163-MW: RagnarLocker Ransomware Indicators of Compromise
RagnarLocker
2022-03-07Bleeping ComputerSergiu Gatlan
FBI: Ransomware gang breached 52 US critical infrastructure orgs
RagnarLocker
2022-02-28TrellixTaylor Mullins
Trellix Global Defenders: Analysis and Protections for RagnarLocker Ransomware
RagnarLocker RagnarLocker
2022-01-20CybleincCyble
Deep Dive Into Ragnar_locker Ransomware Gang
RagnarLocker
2021-10-11AccentureAccenture Cyber Threat Intelligence
Moving Left of the Ransomware Boom
REvil Cobalt Strike MimiKatz RagnarLocker REvil
2021-08-19Seguranca InformaticaPedro Tavares
Ragnar Locker – Malware analysis
RagnarLocker
2021-08-15SymantecThreat Hunter Team
The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker
2021-06-12Twitter (@AltShiftPrtScn)Peter Mackenzie
A thread on RagnarLocker ransomware group's TTP seen in an Incident Response
Cobalt Strike RagnarLocker
2021-05-10DarkTracerDarkTracer
Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-06Cyborg SecurityBrandon Denker
Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX
2021-04-13CAPCOMCAPCOM
4th Update Regarding Data Security Incident Due to Unauthorized Access:Investigation Results
RagnarLocker
2021-04-12ilbaroni
Unpacking RAGNARLOCKER via emulation
RagnarLocker
2021-04-07ANALYST1Jon DiMaggio
Ransom Mafia Analysis of the World's First Ransomware Cartel
Conti Egregor LockBit Maze RagnarLocker Ryuk SunCrypt TA2101 VIKING SPIDER
2021-04-07ANALYST1Jon DiMaggio
Ransom Mafia - Analysis of the World's First Ransomware Cartel
Conti Egregor LockBit Maze RagnarLocker SunCrypt VIKING SPIDER
2021-02-23CrowdStrikeCrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-03Sophos Managed Threat Response (MTR)Greg Iddon
MTR casebook: Uncovering a backdoor implant in a SolarWinds Orion server
RagnarLocker
2021-01-01AcronisAcronis Security
Analysis of Ragnar Locker Ransomware
RagnarLocker
2020-12-16AccenturePaul Mansfield
Tracking and combatting an evolving danger: Ransomware extortion
DarkSide Egregor Maze Nefilim RagnarLocker REvil Ryuk SunCrypt
2020-11-19FBIFBI
MU-000140-MW: Indicators of Compromise Associated with Ragnar Locker Ransomware
RagnarLocker
2020-11-16Intel 471Intel 471
Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX
2020-11-11Kaspersky LabsDmitry Bestuzhev, Fedor Sinitsyn
Targeted ransomware: it’s not just about encrypting your data! Part 1 - “Old and New Friends”
Egregor Maze RagnarLocker
2020-11-10KrebsOnSecurityBrian Krebs
Ransomware Group Turns to Facebook Ads
RagnarLocker
2020-11-05Bleeping ComputerLawrence Abrams
Capcom hit by Ragnar Locker ransomware, 1TB allegedly stolen
RagnarLocker
2020-11-05ZDNetCharlie Osborne
Capcom quietly discloses cyberattack impacting email, file servers
RagnarLocker
2020-11-05Bleeping ComputerLawrence Abrams
Japanese game dev Capcom hit by cyberattack, business impacted
RagnarLocker
2020-10-23HornetsecurityHornetsecurity Security Lab
Leakware-Ransomware-Hybrid Attacks
Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt
2020-09-25CrowdStrikeThe Crowdstrike Intel Team
Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer FriedEx LockBit Maze MedusaLocker RagnarLocker REvil RobinHood SamSam WastedLocker MIMIC SPIDER PIZZO SPIDER TA2101 VIKING SPIDER
2020-09-24CrowdStrikeCrowdStrike Intelligence Team
Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer Gandcrab LockBit Maze MedusaLocker RagnarLocker SamSam OUTLAW SPIDER OVERLORD SPIDER
2020-09-24Kaspersky LabsKaspersky Lab ICS CERT
Threat landscape for industrial automation systems - H1 2020
Poet RAT Mailto Milum RagnarLocker REvil Ryuk Snake
2020-08-25KELAVictoria Kivilevich
How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing
Avaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil Sekhmet
2020-07-30WILDIRE LABSWILDFIRE LABS
Dissecting Ragnar Locker: The Case Of EDP
RagnarLocker
2020-06-09McAfeeAlexandre Mundo
RagnarLocker Ransomware Threatens to Release Confidential Information
RagnarLocker
2020-05-21SophosSophosLabs Uncut
Ragnar Locker ransomware deploys virtual machine to dodge security
RagnarLocker
2020-04-28MicrosoftMicrosoft Threat Protection Intelligence Team
Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk
LockBit Mailto Maze MedusaLocker Paradise RagnarLocker REvil RobinHood
2020-04-14Bleeping ComputerSergiu Gatlan
RagnarLocker ransomware hits EDP energy giant, asks for €10M
RagnarLocker
2020-02-04ID RansomwareAndrew Ivanov
RagnarLocker Ransomware
RagnarLocker
Yara Rules
[TLP:WHITE] win_ragnarlocker_auto (20230808 | Detects win.ragnarlocker.)
rule win_ragnarlocker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.ragnarlocker."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnarlocker"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 898df4feffff 894dc0 8b4f14 898decfeffff 894df8 8b4d0c 0fb601 }
            // n = 7, score = 300
            //   898df4feffff         | mov                 dword ptr [ebp - 0x10c], ecx
            //   894dc0               | mov                 dword ptr [ebp - 0x40], ecx
            //   8b4f14               | mov                 ecx, dword ptr [edi + 0x14]
            //   898decfeffff         | mov                 dword ptr [ebp - 0x114], ecx
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   0fb601               | movzx               eax, byte ptr [ecx]

        $sequence_1 = { 33f1 8b4de8 8bd0 2345d4 3355d4 2355c8 33d0 }
            // n = 7, score = 300
            //   33f1                 | xor                 esi, ecx
            //   8b4de8               | mov                 ecx, dword ptr [ebp - 0x18]
            //   8bd0                 | mov                 edx, eax
            //   2345d4               | and                 eax, dword ptr [ebp - 0x2c]
            //   3355d4               | xor                 edx, dword ptr [ebp - 0x2c]
            //   2355c8               | and                 edx, dword ptr [ebp - 0x38]
            //   33d0                 | xor                 edx, eax

        $sequence_2 = { 0fb6c5 6a04 0bd0 0fb6c1 6800300000 c1e208 53 }
            // n = 7, score = 300
            //   0fb6c5               | movzx               eax, ch
            //   6a04                 | push                4
            //   0bd0                 | or                  edx, eax
            //   0fb6c1               | movzx               eax, cl
            //   6800300000           | push                0x3000
            //   c1e208               | shl                 edx, 8
            //   53                   | push                ebx

        $sequence_3 = { 039d28ffffff 13bd24ffffff 035d94 137d98 81c338b548f3 81d75bc25639 015df4 }
            // n = 7, score = 300
            //   039d28ffffff         | add                 ebx, dword ptr [ebp - 0xd8]
            //   13bd24ffffff         | adc                 edi, dword ptr [ebp - 0xdc]
            //   035d94               | add                 ebx, dword ptr [ebp - 0x6c]
            //   137d98               | adc                 edi, dword ptr [ebp - 0x68]
            //   81c338b548f3         | add                 ebx, 0xf348b538
            //   81d75bc25639         | adc                 edi, 0x3956c25b
            //   015df4               | add                 dword ptr [ebp - 0xc], ebx

        $sequence_4 = { 0fa4ca17 c1ee09 c1e117 0bda 8b55dc 0bf1 8b4de0 }
            // n = 7, score = 300
            //   0fa4ca17             | shld                edx, ecx, 0x17
            //   c1ee09               | shr                 esi, 9
            //   c1e117               | shl                 ecx, 0x17
            //   0bda                 | or                  ebx, edx
            //   8b55dc               | mov                 edx, dword ptr [ebp - 0x24]
            //   0bf1                 | or                  esi, ecx
            //   8b4de0               | mov                 ecx, dword ptr [ebp - 0x20]

        $sequence_5 = { 8bfa 8b4dd4 8bf1 337de8 3375f4 237dac 2355e8 }
            // n = 7, score = 300
            //   8bfa                 | mov                 edi, edx
            //   8b4dd4               | mov                 ecx, dword ptr [ebp - 0x2c]
            //   8bf1                 | mov                 esi, ecx
            //   337de8               | xor                 edi, dword ptr [ebp - 0x18]
            //   3375f4               | xor                 esi, dword ptr [ebp - 0xc]
            //   237dac               | and                 edi, dword ptr [ebp - 0x54]
            //   2355e8               | and                 edx, dword ptr [ebp - 0x18]

        $sequence_6 = { 897dfc 8bbd34ffffff 8bf7 8bcf c1e618 0facd108 }
            // n = 6, score = 300
            //   897dfc               | mov                 dword ptr [ebp - 4], edi
            //   8bbd34ffffff         | mov                 edi, dword ptr [ebp - 0xcc]
            //   8bf7                 | mov                 esi, edi
            //   8bcf                 | mov                 ecx, edi
            //   c1e618               | shl                 esi, 0x18
            //   0facd108             | shrd                ecx, edx, 8

        $sequence_7 = { 3375ec 8b55e8 2355c0 2375d4 33fa 8b4df4 234dec }
            // n = 7, score = 300
            //   3375ec               | xor                 esi, dword ptr [ebp - 0x14]
            //   8b55e8               | mov                 edx, dword ptr [ebp - 0x18]
            //   2355c0               | and                 edx, dword ptr [ebp - 0x40]
            //   2375d4               | and                 esi, dword ptr [ebp - 0x2c]
            //   33fa                 | xor                 edi, edx
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   234dec               | and                 ecx, dword ptr [ebp - 0x14]

        $sequence_8 = { 03c3 8945b8 13cf 33ff 894de0 }
            // n = 5, score = 300
            //   03c3                 | add                 eax, ebx
            //   8945b8               | mov                 dword ptr [ebp - 0x48], eax
            //   13cf                 | adc                 ecx, edi
            //   33ff                 | xor                 edi, edi
            //   894de0               | mov                 dword ptr [ebp - 0x20], ecx

        $sequence_9 = { c1e108 0bc8 0fb64604 c1e108 0bc8 894b14 0f114318 }
            // n = 7, score = 300
            //   c1e108               | shl                 ecx, 8
            //   0bc8                 | or                  ecx, eax
            //   0fb64604             | movzx               eax, byte ptr [esi + 4]
            //   c1e108               | shl                 ecx, 8
            //   0bc8                 | or                  ecx, eax
            //   894b14               | mov                 dword ptr [ebx + 0x14], ecx
            //   0f114318             | movups              xmmword ptr [ebx + 0x18], xmm0

    condition:
        7 of them and filesize < 147456
}
Download all Yara Rules