SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ragnarlocker (Back to overview)

RagnarLocker

There is no description at this point.

References
2022-06-23KasperskyNikita Nazarov, Vasily Davydov, Natalya Shornikova, Vladislav Burtsev, Danila Nasonov
@online{nazarov:20220623:hateful:9c6bf9a, author = {Nikita Nazarov and Vasily Davydov and Natalya Shornikova and Vladislav Burtsev and Danila Nasonov}, title = {{The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)}}, date = {2022-06-23}, organization = {Kaspersky}, url = {https://securelist.com/modern-ransomware-groups-ttps/106824/}, language = {English}, urldate = {2022-06-27} } The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)
BlackByte BlackCat Clop Conti Hive LockBit Mespinoza RagnarLocker
2022-05-05Intel 471Intel 471
@online{471:20220505:cybercrime:f091e4f, author = {Intel 471}, title = {{Cybercrime loves company: Conti cooperated with other ransomware gangs}}, date = {2022-05-05}, organization = {Intel 471}, url = {https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker}, language = {English}, urldate = {2022-05-05} } Cybercrime loves company: Conti cooperated with other ransomware gangs
LockBit Maze RagnarLocker Ryuk
2022-05-01BushidoTokenBushidoToken
@online{bushidotoken:20220501:gamer:0acfc22, author = {BushidoToken}, title = {{Gamer Cheater Hacker Spy}}, date = {2022-05-01}, organization = {BushidoToken}, url = {https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html}, language = {English}, urldate = {2022-05-03} } Gamer Cheater Hacker Spy
Egregor HelloKitty NetfilterRootkit RagnarLocker Winnti
2022-03-17SophosTilly Travers
@online{travers:20220317:ransomware:df38f2f, author = {Tilly Travers}, title = {{The Ransomware Threat Intelligence Center}}, date = {2022-03-17}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/}, language = {English}, urldate = {2022-03-18} } The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2022-03-09The RegisterJessica Lyons Hardcastle
@online{hardcastle:20220309:ragnar:0c09884, author = {Jessica Lyons Hardcastle}, title = {{Ragnar ransomware gang hit 52 critical US orgs, says FBI}}, date = {2022-03-09}, organization = {The Register}, url = {https://www.theregister.com/2022/03/09/fbi_says_ragnar_locker_ransomware/}, language = {English}, urldate = {2022-03-10} } Ragnar ransomware gang hit 52 critical US orgs, says FBI
RagnarLocker
2022-03-09CywareCyware
@online{cyware:20220309:ragnar:21beccd, author = {Cyware}, title = {{Ragnar Locker Breached 52 Organizations and Counting, FBI Warns}}, date = {2022-03-09}, organization = {Cyware}, url = {https://cyware.com/news/ragnar-locker-breached-52-organizations-and-counting-fbi-warns-0588d220/}, language = {English}, urldate = {2022-03-10} } Ragnar Locker Breached 52 Organizations and Counting, FBI Warns
RagnarLocker
2022-03-07Bleeping ComputerSergiu Gatlan
@online{gatlan:20220307:fbi:37b1274, author = {Sergiu Gatlan}, title = {{FBI: Ransomware gang breached 52 US critical infrastructure orgs}}, date = {2022-03-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fbi-ransomware-gang-breached-52-us-critical-infrastructure-orgs/}, language = {English}, urldate = {2022-03-08} } FBI: Ransomware gang breached 52 US critical infrastructure orgs
RagnarLocker
2022-03-07FBIFBI
@techreport{fbi:20220307:fbi:c8c1b8f, author = {FBI}, title = {{FBI Flash CU-000163-MW: RagnarLocker Ransomware Indicators of Compromise}}, date = {2022-03-07}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2022/220307.pdf}, language = {English}, urldate = {2022-03-08} } FBI Flash CU-000163-MW: RagnarLocker Ransomware Indicators of Compromise
RagnarLocker
2022-02-28TrellixTaylor Mullins
@online{mullins:20220228:trellix:de4afa3, author = {Taylor Mullins}, title = {{Trellix Global Defenders: Analysis and Protections for RagnarLocker Ransomware}}, date = {2022-02-28}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/analysis-and-protections-for-ragnarlocker-ransomware.html}, language = {English}, urldate = {2022-04-07} } Trellix Global Defenders: Analysis and Protections for RagnarLocker Ransomware
RagnarLocker RagnarLocker
2022-01-20CybleincCyble
@online{cyble:20220120:deep:e172620, author = {Cyble}, title = {{Deep Dive Into Ragnar_locker Ransomware Gang}}, date = {2022-01-20}, organization = {Cybleinc}, url = {https://blog.cyble.com/2022/01/20/deep-dive-into-ragnar-locker-ransomware-gang/}, language = {English}, urldate = {2022-01-25} } Deep Dive Into Ragnar_locker Ransomware Gang
RagnarLocker
2021-10-11AccentureAccenture Cyber Threat Intelligence
@online{intelligence:20211011:moving:3b0eaec, author = {Accenture Cyber Threat Intelligence}, title = {{Moving Left of the Ransomware Boom}}, date = {2021-10-11}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom}, language = {English}, urldate = {2021-11-03} } Moving Left of the Ransomware Boom
REvil Cobalt Strike MimiKatz RagnarLocker REvil
2021-08-19Seguranca InformaticaPedro Tavares
@online{tavares:20210819:ragnar:eebc3bd, author = {Pedro Tavares}, title = {{Ragnar Locker – Malware analysis}}, date = {2021-08-19}, organization = {Seguranca Informatica}, url = {https://seguranca-informatica.pt/ragnar-locker-malware-analysis/}, language = {English}, urldate = {2021-09-12} } Ragnar Locker – Malware analysis
RagnarLocker
2021-08-15SymantecThreat Hunter Team
@techreport{team:20210815:ransomware:f799696, author = {Threat Hunter Team}, title = {{The Ransomware Threat}}, date = {2021-08-15}, institution = {Symantec}, url = {https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf}, language = {English}, urldate = {2021-12-15} } The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker
2021-06-12Twitter (@AltShiftPrtScn)Peter Mackenzie
@online{mackenzie:20210612:thread:eac742a, author = {Peter Mackenzie}, title = {{A thread on RagnarLocker ransomware group's TTP seen in an Incident Response}}, date = {2021-06-12}, organization = {Twitter (@AltShiftPrtScn)}, url = {https://twitter.com/AltShiftPrtScn/status/1403707430765273095}, language = {English}, urldate = {2021-06-21} } A thread on RagnarLocker ransomware group's TTP seen in an Incident Response
Cobalt Strike RagnarLocker
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-06Cyborg SecurityBrandon Denker
@online{denker:20210506:ransomware:a1f31df, author = {Brandon Denker}, title = {{Ransomware: Hunting for Inhibiting System Backup or Recovery}}, date = {2021-05-06}, organization = {Cyborg Security}, url = {https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/}, language = {English}, urldate = {2021-05-08} } Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX
2021-04-13CAPCOMCAPCOM
@techreport{capcom:20210413:4th:7ce2091, author = {CAPCOM}, title = {{4th Update Regarding Data Security Incident Due to Unauthorized Access:Investigation Results}}, date = {2021-04-13}, institution = {CAPCOM}, url = {https://www.capcom.co.jp/ir/english/news/pdf/e210413.pdf}, language = {English}, urldate = {2021-04-14} } 4th Update Regarding Data Security Incident Due to Unauthorized Access:Investigation Results
RagnarLocker
2021-04-12ilbaroni
@online{ilbaroni:20210412:unpacking:1dffd16, author = {ilbaroni}, title = {{Unpacking RAGNARLOCKER via emulation}}, date = {2021-04-12}, url = {http://reversing.fun/posts/2021/04/15/unpacking_ragnarlocker_via_emulation.html}, language = {English}, urldate = {2022-01-05} } Unpacking RAGNARLOCKER via emulation
RagnarLocker
2021-04-07ANALYST1Jon DiMaggio
@online{dimaggio:20210407:ransom:a109d6f, author = {Jon DiMaggio}, title = {{Ransom Mafia - Analysis of the World's First Ransomware Cartel}}, date = {2021-04-07}, organization = {ANALYST1}, url = {https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel}, language = {English}, urldate = {2021-06-01} } Ransom Mafia - Analysis of the World's First Ransomware Cartel
Conti Egregor LockBit Maze RagnarLocker SunCrypt VIKING SPIDER
2021-04-07ANALYST1Jon DiMaggio
@techreport{dimaggio:20210407:ransom:a543eac, author = {Jon DiMaggio}, title = {{Ransom Mafia Analysis of the World's First Ransomware Cartel}}, date = {2021-04-07}, institution = {ANALYST1}, url = {https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf}, language = {English}, urldate = {2021-04-09} } Ransom Mafia Analysis of the World's First Ransomware Cartel
Conti Egregor LockBit Maze RagnarLocker Ryuk SunCrypt TA2101 VIKING SPIDER
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-03Sophos Managed Threat Response (MTR)Greg Iddon
@online{iddon:20210203:mtr:8eb9950, author = {Greg Iddon}, title = {{MTR casebook: Uncovering a backdoor implant in a SolarWinds Orion server}}, date = {2021-02-03}, organization = {Sophos Managed Threat Response (MTR)}, url = {https://news.sophos.com/en-us/2021/02/03/mtr-casebook-uncovering-a-backdoor-implant-in-a-solarwinds-orion-server/}, language = {English}, urldate = {2021-02-04} } MTR casebook: Uncovering a backdoor implant in a SolarWinds Orion server
RagnarLocker
2021AcronisAcronis Security
@online{security:2021:analysis:7927c04, author = {Acronis Security}, title = {{Analysis of Ragnar Locker Ransomware}}, date = {2021}, organization = {Acronis}, url = {https://www.acronis.com/en-sg/articles/ragnar-locker/}, language = {English}, urldate = {2021-11-25} } Analysis of Ragnar Locker Ransomware
RagnarLocker
2020-12-16AccenturePaul Mansfield
@online{mansfield:20201216:tracking:25540bd, author = {Paul Mansfield}, title = {{Tracking and combatting an evolving danger: Ransomware extortion}}, date = {2020-12-16}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion}, language = {English}, urldate = {2020-12-17} } Tracking and combatting an evolving danger: Ransomware extortion
DarkSide Egregor Maze Nefilim RagnarLocker REvil Ryuk SunCrypt
2020-11-19FBIFBI
@techreport{fbi:20201119:mu000140mw:680c1f8, author = {FBI}, title = {{MU-000140-MW: Indicators of Compromise Associated with Ragnar Locker Ransomware}}, date = {2020-11-19}, institution = {FBI}, url = {https://www.waterisac.org/system/files/articles/FLASH-MU-000140-MW.pdf}, language = {English}, urldate = {2020-11-23} } MU-000140-MW: Indicators of Compromise Associated with Ragnar Locker Ransomware
RagnarLocker
2020-11-16Intel 471Intel 471
@online{471:20201116:ransomwareasaservice:11a5a8b, author = {Intel 471}, title = {{Ransomware-as-a-service: The pandemic within a pandemic}}, date = {2020-11-16}, organization = {Intel 471}, url = {https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/}, language = {English}, urldate = {2020-11-17} } Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX
2020-11-11Kaspersky LabsDmitry Bestuzhev, Fedor Sinitsyn
@online{bestuzhev:20201111:targeted:e2e0c3a, author = {Dmitry Bestuzhev and Fedor Sinitsyn}, title = {{Targeted ransomware: it’s not just about encrypting your data! Part 1 - “Old and New Friends”}}, date = {2020-11-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/targeted-ransomware-encrypting-data/99255/}, language = {English}, urldate = {2020-11-11} } Targeted ransomware: it’s not just about encrypting your data! Part 1 - “Old and New Friends”
Egregor Maze RagnarLocker
2020-11-10KrebsOnSecurityBrian Krebs
@online{krebs:20201110:ransomware:91d390a, author = {Brian Krebs}, title = {{Ransomware Group Turns to Facebook Ads}}, date = {2020-11-10}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2020/11/ransomware-group-turns-to-facebook-ads/}, language = {English}, urldate = {2020-11-11} } Ransomware Group Turns to Facebook Ads
RagnarLocker
2020-11-05Bleeping ComputerLawrence Abrams
@online{abrams:20201105:japanese:0221abc, author = {Lawrence Abrams}, title = {{Japanese game dev Capcom hit by cyberattack, business impacted}}, date = {2020-11-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/japanese-game-dev-capcom-hit-by-cyberattack-business-impacted/}, language = {English}, urldate = {2020-11-06} } Japanese game dev Capcom hit by cyberattack, business impacted
RagnarLocker
2020-11-05Bleeping ComputerLawrence Abrams
@online{abrams:20201105:capcom:e0ff215, author = {Lawrence Abrams}, title = {{Capcom hit by Ragnar Locker ransomware, 1TB allegedly stolen}}, date = {2020-11-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/capcom-hit-by-ragnar-locker-ransomware-1tb-allegedly-stolen/}, language = {English}, urldate = {2020-11-06} } Capcom hit by Ragnar Locker ransomware, 1TB allegedly stolen
RagnarLocker
2020-11-05ZDNetCharlie Osborne
@online{osborne:20201105:capcom:3667890, author = {Charlie Osborne}, title = {{Capcom quietly discloses cyberattack impacting email, file servers}}, date = {2020-11-05}, organization = {ZDNet}, url = {https://www.zdnet.com/article/capcom-quietly-discloses-cyberattack-impacting-email-file-servers/}, language = {English}, urldate = {2020-11-06} } Capcom quietly discloses cyberattack impacting email, file servers
RagnarLocker
2020-10-23HornetsecurityHornetsecurity Security Lab
@online{lab:20201023:leakwareransomwarehybrid:ae1de8e, author = {Hornetsecurity Security Lab}, title = {{Leakware-Ransomware-Hybrid Attacks}}, date = {2020-10-23}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/}, language = {English}, urldate = {2020-12-08} } Leakware-Ransomware-Hybrid Attacks
Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt
2020-09-25CrowdStrikeThe Crowdstrike Intel Team
@online{team:20200925:double:fe3b093, author = {The Crowdstrike Intel Team}, title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 1}}, date = {2020-09-25}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/}, language = {English}, urldate = {2020-10-02} } Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer FriedEx LockBit Maze MedusaLocker RagnarLocker REvil RobinHood SamSam WastedLocker MIMIC SPIDER PIZZO SPIDER TA2101 VIKING SPIDER
2020-09-24Kaspersky LabsKaspersky Lab ICS CERT
@techreport{cert:20200924:threat:2d7986d, author = {Kaspersky Lab ICS CERT}, title = {{Threat landscape for industrial automation systems - H1 2020}}, date = {2020-09-24}, institution = {Kaspersky Labs}, url = {https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf}, language = {English}, urldate = {2020-10-04} } Threat landscape for industrial automation systems - H1 2020
Poet RAT Mailto Milum RagnarLocker REvil Ryuk Snake
2020-09-24CrowdStrikeCrowdStrike Intelligence Team
@online{team:20200924:double:3b3ade6, author = {CrowdStrike Intelligence Team}, title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 1}}, date = {2020-09-24}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1}, language = {English}, urldate = {2021-05-31} } Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer Gandcrab LockBit Maze MedusaLocker RagnarLocker SamSam OUTLAW SPIDER OVERLORD SPIDER
2020-08-25KELAVictoria Kivilevich
@online{kivilevich:20200825:how:5db6a82, author = {Victoria Kivilevich}, title = {{How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing}}, date = {2020-08-25}, organization = {KELA}, url = {https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/}, language = {English}, urldate = {2021-05-07} } How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing
Avaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil Sekhmet
2020-07-30WILDIRE LABSWILDFIRE LABS
@online{labs:20200730:dissecting:f58344d, author = {WILDFIRE LABS}, title = {{Dissecting Ragnar Locker: The Case Of EDP}}, date = {2020-07-30}, organization = {WILDIRE LABS}, url = {https://blog.blazeinfosec.com/dissecting-ragnar-locker-the-case-of-edp/}, language = {English}, urldate = {2020-11-09} } Dissecting Ragnar Locker: The Case Of EDP
RagnarLocker
2020-06-09McAfeeAlexandre Mundo
@online{mundo:20200609:ragnarlocker:1f58a4a, author = {Alexandre Mundo}, title = {{RagnarLocker Ransomware Threatens to Release Confidential Information}}, date = {2020-06-09}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ragnarlocker-ransomware-threatens-to-release-confidential-information}, language = {English}, urldate = {2020-06-10} } RagnarLocker Ransomware Threatens to Release Confidential Information
RagnarLocker
2020-05-21SophosSophosLabs Uncut
@online{uncut:20200521:ragnar:446eb50, author = {SophosLabs Uncut}, title = {{Ragnar Locker ransomware deploys virtual machine to dodge security}}, date = {2020-05-21}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/}, language = {English}, urldate = {2020-05-23} } Ragnar Locker ransomware deploys virtual machine to dodge security
RagnarLocker
2020-04-28MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200428:ransomware:3205f3a, author = {Microsoft Threat Protection Intelligence Team}, title = {{Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk}}, date = {2020-04-28}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/}, language = {English}, urldate = {2020-05-05} } Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk
LockBit Mailto Maze MedusaLocker Paradise RagnarLocker REvil RobinHood
2020-04-14Bleeping ComputerSergiu Gatlan
@online{gatlan:20200414:ragnarlocker:2a77ec4, author = {Sergiu Gatlan}, title = {{RagnarLocker ransomware hits EDP energy giant, asks for €10M}}, date = {2020-04-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ragnarlocker-ransomware-hits-edp-energy-giant-asks-for-10m/}, language = {English}, urldate = {2020-04-16} } RagnarLocker ransomware hits EDP energy giant, asks for €10M
RagnarLocker
2020-02-04ID RansomwareAndrew Ivanov
@online{ivanov:20200204:ragnarlocker:7e8d324, author = {Andrew Ivanov}, title = {{RagnarLocker Ransomware}}, date = {2020-02-04}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/02/ragnarlocker-ransomware.html}, language = {Russian}, urldate = {2020-04-15} } RagnarLocker Ransomware
RagnarLocker
Yara Rules
[TLP:WHITE] win_ragnarlocker_auto (20220808 | Detects win.ragnarlocker.)
rule win_ragnarlocker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.ragnarlocker."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnarlocker"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0fa4ca1e c1ef02 8975c0 33f6 0bf2 c1e11e }
            // n = 6, score = 300
            //   0fa4ca1e             | shld                edx, ecx, 0x1e
            //   c1ef02               | shr                 edi, 2
            //   8975c0               | mov                 dword ptr [ebp - 0x40], esi
            //   33f6                 | xor                 esi, esi
            //   0bf2                 | or                  esi, edx
            //   c1e11e               | shl                 ecx, 0x1e

        $sequence_1 = { 0bd8 0fb64102 0fa4de08 99 c1e308 0bf2 0bd8 }
            // n = 7, score = 300
            //   0bd8                 | or                  ebx, eax
            //   0fb64102             | movzx               eax, byte ptr [ecx + 2]
            //   0fa4de08             | shld                esi, ebx, 8
            //   99                   | cdq                 
            //   c1e308               | shl                 ebx, 8
            //   0bf2                 | or                  esi, edx
            //   0bd8                 | or                  ebx, eax

        $sequence_2 = { 8b5644 e8???????? 88437a 0fb64646 884379 0fb64647 884378 }
            // n = 7, score = 300
            //   8b5644               | mov                 edx, dword ptr [esi + 0x44]
            //   e8????????           |                     
            //   88437a               | mov                 byte ptr [ebx + 0x7a], al
            //   0fb64646             | movzx               eax, byte ptr [esi + 0x46]
            //   884379               | mov                 byte ptr [ebx + 0x79], al
            //   0fb64647             | movzx               eax, byte ptr [esi + 0x47]
            //   884378               | mov                 byte ptr [ebx + 0x78], al

        $sequence_3 = { 99 c1e308 0bf2 0bd8 0fb6410d 0fa4de08 }
            // n = 6, score = 300
            //   99                   | cdq                 
            //   c1e308               | shl                 ebx, 8
            //   0bf2                 | or                  esi, edx
            //   0bd8                 | or                  ebx, eax
            //   0fb6410d             | movzx               eax, byte ptr [ecx + 0xd]
            //   0fa4de08             | shld                esi, ebx, 8

        $sequence_4 = { c1e108 0bc8 0fb64704 c1e108 0bc8 894b08 }
            // n = 6, score = 300
            //   c1e108               | shl                 ecx, 8
            //   0bc8                 | or                  ecx, eax
            //   0fb64704             | movzx               eax, byte ptr [edi + 4]
            //   c1e108               | shl                 ecx, 8
            //   0bc8                 | or                  ecx, eax
            //   894b08               | mov                 dword ptr [ebx + 8], ecx

        $sequence_5 = { 83e0fe 50 53 ff15???????? 6a00 6880000010 6a03 }
            // n = 7, score = 300
            //   83e0fe               | and                 eax, 0xfffffffe
            //   50                   | push                eax
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   6a00                 | push                0
            //   6880000010           | push                0x10000080
            //   6a03                 | push                3

        $sequence_6 = { 0bf2 0bd8 0fa4de08 0fb64154 33ff c1e308 }
            // n = 6, score = 300
            //   0bf2                 | or                  esi, edx
            //   0bd8                 | or                  ebx, eax
            //   0fa4de08             | shld                esi, ebx, 8
            //   0fb64154             | movzx               eax, byte ptr [ecx + 0x54]
            //   33ff                 | xor                 edi, edi
            //   c1e308               | shl                 ebx, 8

        $sequence_7 = { 0fb6416c 0fa4de08 99 c1e308 0bf2 0bd8 0fb6416d }
            // n = 7, score = 300
            //   0fb6416c             | movzx               eax, byte ptr [ecx + 0x6c]
            //   0fa4de08             | shld                esi, ebx, 8
            //   99                   | cdq                 
            //   c1e308               | shl                 ebx, 8
            //   0bf2                 | or                  esi, edx
            //   0bd8                 | or                  ebx, eax
            //   0fb6416d             | movzx               eax, byte ptr [ecx + 0x6d]

        $sequence_8 = { 8b4df0 03de 13fa 035d88 }
            // n = 4, score = 300
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   03de                 | add                 ebx, esi
            //   13fa                 | adc                 edi, edx
            //   035d88               | add                 ebx, dword ptr [ebp - 0x78]

        $sequence_9 = { 33c0 5b 5d c3 8b4d0c 8bf3 8a21 }
            // n = 7, score = 300
            //   33c0                 | xor                 eax, eax
            //   5b                   | pop                 ebx
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   8bf3                 | mov                 esi, ebx
            //   8a21                 | mov                 ah, byte ptr [ecx]

    condition:
        7 of them and filesize < 147456
}
Download all Yara Rules