SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ragnarlocker (Back to overview)

RagnarLocker

There is no description at this point.

References
2023-03-30United States District Court (Eastern District of New York)Microsoft, Fortra, HEALTH-ISAC
@techreport{microsoft:20230330:cracked:08c67c0, author = {Microsoft and Fortra and HEALTH-ISAC}, title = {{Cracked Cobalt Strike (1:23-cv-02447)}}, date = {2023-03-30}, institution = {United States District Court (Eastern District of New York)}, url = {https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf}, language = {English}, urldate = {2023-04-28} } Cracked Cobalt Strike (1:23-cv-02447)
Black Basta BlackCat LockBit RagnarLocker LockBit Black Basta BlackCat Cobalt Strike Cuba Emotet LockBit Mount Locker PLAY QakBot RagnarLocker Royal Ransom Zloader
2022-06-23KasperskyNikita Nazarov, Vasily Davydov, Natalya Shornikova, Vladislav Burtsev, Danila Nasonov
@online{nazarov:20220623:hateful:9c6bf9a, author = {Nikita Nazarov and Vasily Davydov and Natalya Shornikova and Vladislav Burtsev and Danila Nasonov}, title = {{The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)}}, date = {2022-06-23}, organization = {Kaspersky}, url = {https://securelist.com/modern-ransomware-groups-ttps/106824/}, language = {English}, urldate = {2022-06-27} } The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)
BlackByte BlackCat Clop Conti Hive LockBit Mespinoza RagnarLocker
2022-05-05Intel 471Intel 471
@online{471:20220505:cybercrime:f091e4f, author = {Intel 471}, title = {{Cybercrime loves company: Conti cooperated with other ransomware gangs}}, date = {2022-05-05}, organization = {Intel 471}, url = {https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker}, language = {English}, urldate = {2022-05-05} } Cybercrime loves company: Conti cooperated with other ransomware gangs
LockBit Maze RagnarLocker Ryuk
2022-05-01BushidoTokenBushidoToken
@online{bushidotoken:20220501:gamer:0acfc22, author = {BushidoToken}, title = {{Gamer Cheater Hacker Spy}}, date = {2022-05-01}, organization = {BushidoToken}, url = {https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html}, language = {English}, urldate = {2022-05-03} } Gamer Cheater Hacker Spy
Egregor HelloKitty NetfilterRootkit RagnarLocker Winnti
2022-03-17SophosTilly Travers
@online{travers:20220317:ransomware:df38f2f, author = {Tilly Travers}, title = {{The Ransomware Threat Intelligence Center}}, date = {2022-03-17}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/}, language = {English}, urldate = {2022-03-18} } The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2022-03-09The RegisterJessica Lyons Hardcastle
@online{hardcastle:20220309:ragnar:0c09884, author = {Jessica Lyons Hardcastle}, title = {{Ragnar ransomware gang hit 52 critical US orgs, says FBI}}, date = {2022-03-09}, organization = {The Register}, url = {https://www.theregister.com/2022/03/09/fbi_says_ragnar_locker_ransomware/}, language = {English}, urldate = {2022-03-10} } Ragnar ransomware gang hit 52 critical US orgs, says FBI
RagnarLocker
2022-03-09CywareCyware
@online{cyware:20220309:ragnar:21beccd, author = {Cyware}, title = {{Ragnar Locker Breached 52 Organizations and Counting, FBI Warns}}, date = {2022-03-09}, organization = {Cyware}, url = {https://cyware.com/news/ragnar-locker-breached-52-organizations-and-counting-fbi-warns-0588d220/}, language = {English}, urldate = {2022-03-10} } Ragnar Locker Breached 52 Organizations and Counting, FBI Warns
RagnarLocker
2022-03-07Bleeping ComputerSergiu Gatlan
@online{gatlan:20220307:fbi:37b1274, author = {Sergiu Gatlan}, title = {{FBI: Ransomware gang breached 52 US critical infrastructure orgs}}, date = {2022-03-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fbi-ransomware-gang-breached-52-us-critical-infrastructure-orgs/}, language = {English}, urldate = {2022-03-08} } FBI: Ransomware gang breached 52 US critical infrastructure orgs
RagnarLocker
2022-03-07FBIFBI
@techreport{fbi:20220307:fbi:c8c1b8f, author = {FBI}, title = {{FBI Flash CU-000163-MW: RagnarLocker Ransomware Indicators of Compromise}}, date = {2022-03-07}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2022/220307.pdf}, language = {English}, urldate = {2022-03-08} } FBI Flash CU-000163-MW: RagnarLocker Ransomware Indicators of Compromise
RagnarLocker
2022-02-28TrellixTaylor Mullins
@online{mullins:20220228:trellix:de4afa3, author = {Taylor Mullins}, title = {{Trellix Global Defenders: Analysis and Protections for RagnarLocker Ransomware}}, date = {2022-02-28}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/analysis-and-protections-for-ragnarlocker-ransomware.html}, language = {English}, urldate = {2022-04-07} } Trellix Global Defenders: Analysis and Protections for RagnarLocker Ransomware
RagnarLocker RagnarLocker
2022-01-20CybleincCyble
@online{cyble:20220120:deep:e172620, author = {Cyble}, title = {{Deep Dive Into Ragnar_locker Ransomware Gang}}, date = {2022-01-20}, organization = {Cybleinc}, url = {https://blog.cyble.com/2022/01/20/deep-dive-into-ragnar-locker-ransomware-gang/}, language = {English}, urldate = {2022-01-25} } Deep Dive Into Ragnar_locker Ransomware Gang
RagnarLocker
2021-10-11AccentureAccenture Cyber Threat Intelligence
@online{intelligence:20211011:moving:3b0eaec, author = {Accenture Cyber Threat Intelligence}, title = {{Moving Left of the Ransomware Boom}}, date = {2021-10-11}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom}, language = {English}, urldate = {2021-11-03} } Moving Left of the Ransomware Boom
REvil Cobalt Strike MimiKatz RagnarLocker REvil
2021-08-19Seguranca InformaticaPedro Tavares
@online{tavares:20210819:ragnar:eebc3bd, author = {Pedro Tavares}, title = {{Ragnar Locker – Malware analysis}}, date = {2021-08-19}, organization = {Seguranca Informatica}, url = {https://seguranca-informatica.pt/ragnar-locker-malware-analysis/}, language = {English}, urldate = {2021-09-12} } Ragnar Locker – Malware analysis
RagnarLocker
2021-08-15SymantecThreat Hunter Team
@techreport{team:20210815:ransomware:f799696, author = {Threat Hunter Team}, title = {{The Ransomware Threat}}, date = {2021-08-15}, institution = {Symantec}, url = {https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf}, language = {English}, urldate = {2021-12-15} } The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker
2021-06-12Twitter (@AltShiftPrtScn)Peter Mackenzie
@online{mackenzie:20210612:thread:eac742a, author = {Peter Mackenzie}, title = {{A thread on RagnarLocker ransomware group's TTP seen in an Incident Response}}, date = {2021-06-12}, organization = {Twitter (@AltShiftPrtScn)}, url = {https://twitter.com/AltShiftPrtScn/status/1403707430765273095}, language = {English}, urldate = {2021-06-21} } A thread on RagnarLocker ransomware group's TTP seen in an Incident Response
Cobalt Strike RagnarLocker
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-06Cyborg SecurityBrandon Denker
@online{denker:20210506:ransomware:a1f31df, author = {Brandon Denker}, title = {{Ransomware: Hunting for Inhibiting System Backup or Recovery}}, date = {2021-05-06}, organization = {Cyborg Security}, url = {https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/}, language = {English}, urldate = {2021-05-08} } Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX
2021-04-13CAPCOMCAPCOM
@techreport{capcom:20210413:4th:7ce2091, author = {CAPCOM}, title = {{4th Update Regarding Data Security Incident Due to Unauthorized Access:Investigation Results}}, date = {2021-04-13}, institution = {CAPCOM}, url = {https://www.capcom.co.jp/ir/english/news/pdf/e210413.pdf}, language = {English}, urldate = {2021-04-14} } 4th Update Regarding Data Security Incident Due to Unauthorized Access:Investigation Results
RagnarLocker
2021-04-12ilbaroni
@online{ilbaroni:20210412:unpacking:1dffd16, author = {ilbaroni}, title = {{Unpacking RAGNARLOCKER via emulation}}, date = {2021-04-12}, url = {http://reversing.fun/posts/2021/04/15/unpacking_ragnarlocker_via_emulation.html}, language = {English}, urldate = {2022-01-05} } Unpacking RAGNARLOCKER via emulation
RagnarLocker
2021-04-07ANALYST1Jon DiMaggio
@online{dimaggio:20210407:ransom:a109d6f, author = {Jon DiMaggio}, title = {{Ransom Mafia - Analysis of the World's First Ransomware Cartel}}, date = {2021-04-07}, organization = {ANALYST1}, url = {https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel}, language = {English}, urldate = {2021-06-01} } Ransom Mafia - Analysis of the World's First Ransomware Cartel
Conti Egregor LockBit Maze RagnarLocker SunCrypt VIKING SPIDER
2021-04-07ANALYST1Jon DiMaggio
@techreport{dimaggio:20210407:ransom:a543eac, author = {Jon DiMaggio}, title = {{Ransom Mafia Analysis of the World's First Ransomware Cartel}}, date = {2021-04-07}, institution = {ANALYST1}, url = {https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf}, language = {English}, urldate = {2021-04-09} } Ransom Mafia Analysis of the World's First Ransomware Cartel
Conti Egregor LockBit Maze RagnarLocker Ryuk SunCrypt TA2101 VIKING SPIDER
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-03Sophos Managed Threat Response (MTR)Greg Iddon
@online{iddon:20210203:mtr:8eb9950, author = {Greg Iddon}, title = {{MTR casebook: Uncovering a backdoor implant in a SolarWinds Orion server}}, date = {2021-02-03}, organization = {Sophos Managed Threat Response (MTR)}, url = {https://news.sophos.com/en-us/2021/02/03/mtr-casebook-uncovering-a-backdoor-implant-in-a-solarwinds-orion-server/}, language = {English}, urldate = {2021-02-04} } MTR casebook: Uncovering a backdoor implant in a SolarWinds Orion server
RagnarLocker
2021AcronisAcronis Security
@online{security:2021:analysis:7927c04, author = {Acronis Security}, title = {{Analysis of Ragnar Locker Ransomware}}, date = {2021}, organization = {Acronis}, url = {https://www.acronis.com/en-sg/articles/ragnar-locker/}, language = {English}, urldate = {2021-11-25} } Analysis of Ragnar Locker Ransomware
RagnarLocker
2020-12-16AccenturePaul Mansfield
@online{mansfield:20201216:tracking:25540bd, author = {Paul Mansfield}, title = {{Tracking and combatting an evolving danger: Ransomware extortion}}, date = {2020-12-16}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion}, language = {English}, urldate = {2020-12-17} } Tracking and combatting an evolving danger: Ransomware extortion
DarkSide Egregor Maze Nefilim RagnarLocker REvil Ryuk SunCrypt
2020-11-19FBIFBI
@techreport{fbi:20201119:mu000140mw:680c1f8, author = {FBI}, title = {{MU-000140-MW: Indicators of Compromise Associated with Ragnar Locker Ransomware}}, date = {2020-11-19}, institution = {FBI}, url = {https://www.waterisac.org/system/files/articles/FLASH-MU-000140-MW.pdf}, language = {English}, urldate = {2020-11-23} } MU-000140-MW: Indicators of Compromise Associated with Ragnar Locker Ransomware
RagnarLocker
2020-11-16Intel 471Intel 471
@online{471:20201116:ransomwareasaservice:11a5a8b, author = {Intel 471}, title = {{Ransomware-as-a-service: The pandemic within a pandemic}}, date = {2020-11-16}, organization = {Intel 471}, url = {https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/}, language = {English}, urldate = {2020-11-17} } Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX
2020-11-11Kaspersky LabsDmitry Bestuzhev, Fedor Sinitsyn
@online{bestuzhev:20201111:targeted:e2e0c3a, author = {Dmitry Bestuzhev and Fedor Sinitsyn}, title = {{Targeted ransomware: it’s not just about encrypting your data! Part 1 - “Old and New Friends”}}, date = {2020-11-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/targeted-ransomware-encrypting-data/99255/}, language = {English}, urldate = {2020-11-11} } Targeted ransomware: it’s not just about encrypting your data! Part 1 - “Old and New Friends”
Egregor Maze RagnarLocker
2020-11-10KrebsOnSecurityBrian Krebs
@online{krebs:20201110:ransomware:91d390a, author = {Brian Krebs}, title = {{Ransomware Group Turns to Facebook Ads}}, date = {2020-11-10}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2020/11/ransomware-group-turns-to-facebook-ads/}, language = {English}, urldate = {2020-11-11} } Ransomware Group Turns to Facebook Ads
RagnarLocker
2020-11-05Bleeping ComputerLawrence Abrams
@online{abrams:20201105:japanese:0221abc, author = {Lawrence Abrams}, title = {{Japanese game dev Capcom hit by cyberattack, business impacted}}, date = {2020-11-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/japanese-game-dev-capcom-hit-by-cyberattack-business-impacted/}, language = {English}, urldate = {2020-11-06} } Japanese game dev Capcom hit by cyberattack, business impacted
RagnarLocker
2020-11-05Bleeping ComputerLawrence Abrams
@online{abrams:20201105:capcom:e0ff215, author = {Lawrence Abrams}, title = {{Capcom hit by Ragnar Locker ransomware, 1TB allegedly stolen}}, date = {2020-11-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/capcom-hit-by-ragnar-locker-ransomware-1tb-allegedly-stolen/}, language = {English}, urldate = {2020-11-06} } Capcom hit by Ragnar Locker ransomware, 1TB allegedly stolen
RagnarLocker
2020-11-05ZDNetCharlie Osborne
@online{osborne:20201105:capcom:3667890, author = {Charlie Osborne}, title = {{Capcom quietly discloses cyberattack impacting email, file servers}}, date = {2020-11-05}, organization = {ZDNet}, url = {https://www.zdnet.com/article/capcom-quietly-discloses-cyberattack-impacting-email-file-servers/}, language = {English}, urldate = {2020-11-06} } Capcom quietly discloses cyberattack impacting email, file servers
RagnarLocker
2020-10-23HornetsecurityHornetsecurity Security Lab
@online{lab:20201023:leakwareransomwarehybrid:ae1de8e, author = {Hornetsecurity Security Lab}, title = {{Leakware-Ransomware-Hybrid Attacks}}, date = {2020-10-23}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/}, language = {English}, urldate = {2020-12-08} } Leakware-Ransomware-Hybrid Attacks
Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt
2020-09-25CrowdStrikeThe Crowdstrike Intel Team
@online{team:20200925:double:fe3b093, author = {The Crowdstrike Intel Team}, title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 1}}, date = {2020-09-25}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/}, language = {English}, urldate = {2020-10-02} } Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer FriedEx LockBit Maze MedusaLocker RagnarLocker REvil RobinHood SamSam WastedLocker MIMIC SPIDER PIZZO SPIDER TA2101 VIKING SPIDER
2020-09-24Kaspersky LabsKaspersky Lab ICS CERT
@techreport{cert:20200924:threat:2d7986d, author = {Kaspersky Lab ICS CERT}, title = {{Threat landscape for industrial automation systems - H1 2020}}, date = {2020-09-24}, institution = {Kaspersky Labs}, url = {https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf}, language = {English}, urldate = {2020-10-04} } Threat landscape for industrial automation systems - H1 2020
Poet RAT Mailto Milum RagnarLocker REvil Ryuk Snake
2020-09-24CrowdStrikeCrowdStrike Intelligence Team
@online{team:20200924:double:3b3ade6, author = {CrowdStrike Intelligence Team}, title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 1}}, date = {2020-09-24}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1}, language = {English}, urldate = {2021-05-31} } Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer Gandcrab LockBit Maze MedusaLocker RagnarLocker SamSam OUTLAW SPIDER OVERLORD SPIDER
2020-08-25KELAVictoria Kivilevich
@online{kivilevich:20200825:how:5db6a82, author = {Victoria Kivilevich}, title = {{How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing}}, date = {2020-08-25}, organization = {KELA}, url = {https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/}, language = {English}, urldate = {2021-05-07} } How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing
Avaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil Sekhmet
2020-07-30WILDIRE LABSWILDFIRE LABS
@online{labs:20200730:dissecting:f58344d, author = {WILDFIRE LABS}, title = {{Dissecting Ragnar Locker: The Case Of EDP}}, date = {2020-07-30}, organization = {WILDIRE LABS}, url = {https://blog.blazeinfosec.com/dissecting-ragnar-locker-the-case-of-edp/}, language = {English}, urldate = {2020-11-09} } Dissecting Ragnar Locker: The Case Of EDP
RagnarLocker
2020-06-09McAfeeAlexandre Mundo
@online{mundo:20200609:ragnarlocker:1f58a4a, author = {Alexandre Mundo}, title = {{RagnarLocker Ransomware Threatens to Release Confidential Information}}, date = {2020-06-09}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ragnarlocker-ransomware-threatens-to-release-confidential-information}, language = {English}, urldate = {2020-06-10} } RagnarLocker Ransomware Threatens to Release Confidential Information
RagnarLocker
2020-05-21SophosSophosLabs Uncut
@online{uncut:20200521:ragnar:446eb50, author = {SophosLabs Uncut}, title = {{Ragnar Locker ransomware deploys virtual machine to dodge security}}, date = {2020-05-21}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/}, language = {English}, urldate = {2020-05-23} } Ragnar Locker ransomware deploys virtual machine to dodge security
RagnarLocker
2020-04-28MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200428:ransomware:3205f3a, author = {Microsoft Threat Protection Intelligence Team}, title = {{Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk}}, date = {2020-04-28}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/}, language = {English}, urldate = {2020-05-05} } Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk
LockBit Mailto Maze MedusaLocker Paradise RagnarLocker REvil RobinHood
2020-04-14Bleeping ComputerSergiu Gatlan
@online{gatlan:20200414:ragnarlocker:2a77ec4, author = {Sergiu Gatlan}, title = {{RagnarLocker ransomware hits EDP energy giant, asks for €10M}}, date = {2020-04-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ragnarlocker-ransomware-hits-edp-energy-giant-asks-for-10m/}, language = {English}, urldate = {2020-04-16} } RagnarLocker ransomware hits EDP energy giant, asks for €10M
RagnarLocker
2020-02-04ID RansomwareAndrew Ivanov
@online{ivanov:20200204:ragnarlocker:7e8d324, author = {Andrew Ivanov}, title = {{RagnarLocker Ransomware}}, date = {2020-02-04}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/02/ragnarlocker-ransomware.html}, language = {Russian}, urldate = {2020-04-15} } RagnarLocker Ransomware
RagnarLocker
Yara Rules
[TLP:WHITE] win_ragnarlocker_auto (20230808 | Detects win.ragnarlocker.)
rule win_ragnarlocker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.ragnarlocker."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnarlocker"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 898df4feffff 894dc0 8b4f14 898decfeffff 894df8 8b4d0c 0fb601 }
            // n = 7, score = 300
            //   898df4feffff         | mov                 dword ptr [ebp - 0x10c], ecx
            //   894dc0               | mov                 dword ptr [ebp - 0x40], ecx
            //   8b4f14               | mov                 ecx, dword ptr [edi + 0x14]
            //   898decfeffff         | mov                 dword ptr [ebp - 0x114], ecx
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   0fb601               | movzx               eax, byte ptr [ecx]

        $sequence_1 = { 33f1 8b4de8 8bd0 2345d4 3355d4 2355c8 33d0 }
            // n = 7, score = 300
            //   33f1                 | xor                 esi, ecx
            //   8b4de8               | mov                 ecx, dword ptr [ebp - 0x18]
            //   8bd0                 | mov                 edx, eax
            //   2345d4               | and                 eax, dword ptr [ebp - 0x2c]
            //   3355d4               | xor                 edx, dword ptr [ebp - 0x2c]
            //   2355c8               | and                 edx, dword ptr [ebp - 0x38]
            //   33d0                 | xor                 edx, eax

        $sequence_2 = { 0fb6c5 6a04 0bd0 0fb6c1 6800300000 c1e208 53 }
            // n = 7, score = 300
            //   0fb6c5               | movzx               eax, ch
            //   6a04                 | push                4
            //   0bd0                 | or                  edx, eax
            //   0fb6c1               | movzx               eax, cl
            //   6800300000           | push                0x3000
            //   c1e208               | shl                 edx, 8
            //   53                   | push                ebx

        $sequence_3 = { 039d28ffffff 13bd24ffffff 035d94 137d98 81c338b548f3 81d75bc25639 015df4 }
            // n = 7, score = 300
            //   039d28ffffff         | add                 ebx, dword ptr [ebp - 0xd8]
            //   13bd24ffffff         | adc                 edi, dword ptr [ebp - 0xdc]
            //   035d94               | add                 ebx, dword ptr [ebp - 0x6c]
            //   137d98               | adc                 edi, dword ptr [ebp - 0x68]
            //   81c338b548f3         | add                 ebx, 0xf348b538
            //   81d75bc25639         | adc                 edi, 0x3956c25b
            //   015df4               | add                 dword ptr [ebp - 0xc], ebx

        $sequence_4 = { 0fa4ca17 c1ee09 c1e117 0bda 8b55dc 0bf1 8b4de0 }
            // n = 7, score = 300
            //   0fa4ca17             | shld                edx, ecx, 0x17
            //   c1ee09               | shr                 esi, 9
            //   c1e117               | shl                 ecx, 0x17
            //   0bda                 | or                  ebx, edx
            //   8b55dc               | mov                 edx, dword ptr [ebp - 0x24]
            //   0bf1                 | or                  esi, ecx
            //   8b4de0               | mov                 ecx, dword ptr [ebp - 0x20]

        $sequence_5 = { 8bfa 8b4dd4 8bf1 337de8 3375f4 237dac 2355e8 }
            // n = 7, score = 300
            //   8bfa                 | mov                 edi, edx
            //   8b4dd4               | mov                 ecx, dword ptr [ebp - 0x2c]
            //   8bf1                 | mov                 esi, ecx
            //   337de8               | xor                 edi, dword ptr [ebp - 0x18]
            //   3375f4               | xor                 esi, dword ptr [ebp - 0xc]
            //   237dac               | and                 edi, dword ptr [ebp - 0x54]
            //   2355e8               | and                 edx, dword ptr [ebp - 0x18]

        $sequence_6 = { 897dfc 8bbd34ffffff 8bf7 8bcf c1e618 0facd108 }
            // n = 6, score = 300
            //   897dfc               | mov                 dword ptr [ebp - 4], edi
            //   8bbd34ffffff         | mov                 edi, dword ptr [ebp - 0xcc]
            //   8bf7                 | mov                 esi, edi
            //   8bcf                 | mov                 ecx, edi
            //   c1e618               | shl                 esi, 0x18
            //   0facd108             | shrd                ecx, edx, 8

        $sequence_7 = { 3375ec 8b55e8 2355c0 2375d4 33fa 8b4df4 234dec }
            // n = 7, score = 300
            //   3375ec               | xor                 esi, dword ptr [ebp - 0x14]
            //   8b55e8               | mov                 edx, dword ptr [ebp - 0x18]
            //   2355c0               | and                 edx, dword ptr [ebp - 0x40]
            //   2375d4               | and                 esi, dword ptr [ebp - 0x2c]
            //   33fa                 | xor                 edi, edx
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   234dec               | and                 ecx, dword ptr [ebp - 0x14]

        $sequence_8 = { 03c3 8945b8 13cf 33ff 894de0 }
            // n = 5, score = 300
            //   03c3                 | add                 eax, ebx
            //   8945b8               | mov                 dword ptr [ebp - 0x48], eax
            //   13cf                 | adc                 ecx, edi
            //   33ff                 | xor                 edi, edi
            //   894de0               | mov                 dword ptr [ebp - 0x20], ecx

        $sequence_9 = { c1e108 0bc8 0fb64604 c1e108 0bc8 894b14 0f114318 }
            // n = 7, score = 300
            //   c1e108               | shl                 ecx, 8
            //   0bc8                 | or                  ecx, eax
            //   0fb64604             | movzx               eax, byte ptr [esi + 4]
            //   c1e108               | shl                 ecx, 8
            //   0bc8                 | or                  ecx, eax
            //   894b14               | mov                 dword ptr [ebx + 0x14], ecx
            //   0f114318             | movups              xmmword ptr [ebx + 0x18], xmm0

    condition:
        7 of them and filesize < 147456
}
Download all Yara Rules