SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ragnarlocker (Back to overview)

RagnarLocker

There is no description at this point.

References
2021-04-13CAPCOMCAPCOM
@techreport{capcom:20210413:4th:7ce2091, author = {CAPCOM}, title = {{4th Update Regarding Data Security Incident Due to Unauthorized Access:Investigation Results}}, date = {2021-04-13}, institution = {CAPCOM}, url = {https://www.capcom.co.jp/ir/english/news/pdf/e210413.pdf}, language = {English}, urldate = {2021-04-14} } 4th Update Regarding Data Security Incident Due to Unauthorized Access:Investigation Results
RagnarLocker
2021-04-12reversing.xyz!j
@online{j:20210412:unpacking:1dffd16, author = {!j}, title = {{Unpacking RAGNARLOCKER via emulation}}, date = {2021-04-12}, organization = {reversing.xyz}, url = {https://blog.reversing.xyz/docs/posts/unpacking_ragnarlocker_via_emulation/}, language = {English}, urldate = {2021-04-19} } Unpacking RAGNARLOCKER via emulation
RagnarLocker
2021-04-07ANALYST1Jon DiMaggio
@techreport{dimaggio:20210407:ransom:a543eac, author = {Jon DiMaggio}, title = {{Ransom Mafia Analysis of the World's First Ransomware Cartel}}, date = {2021-04-07}, institution = {ANALYST1}, url = {https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf}, language = {English}, urldate = {2021-04-09} } Ransom Mafia Analysis of the World's First Ransomware Cartel
Conti Ransomware Egregor LockBit Maze RagnarLocker Ryuk SunCrypt
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon Ransomware BazarBackdoor Clop Cobalt Strike Conti Ransomware Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet Ransomware ShadowPad SmokeLoader Snake Ransomware SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader
2021-02-03Sophos Managed Threat Response (MTR)Greg Iddon
@online{iddon:20210203:mtr:8eb9950, author = {Greg Iddon}, title = {{MTR casebook: Uncovering a backdoor implant in a SolarWinds Orion server}}, date = {2021-02-03}, organization = {Sophos Managed Threat Response (MTR)}, url = {https://news.sophos.com/en-us/2021/02/03/mtr-casebook-uncovering-a-backdoor-implant-in-a-solarwinds-orion-server/}, language = {English}, urldate = {2021-02-04} } MTR casebook: Uncovering a backdoor implant in a SolarWinds Orion server
RagnarLocker
2020-12-16AccenturePaul Mansfield
@online{mansfield:20201216:tracking:25540bd, author = {Paul Mansfield}, title = {{Tracking and combatting an evolving danger: Ransomware extortion}}, date = {2020-12-16}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion}, language = {English}, urldate = {2020-12-17} } Tracking and combatting an evolving danger: Ransomware extortion
DarkSide Egregor Maze Nefilim Ransomware RagnarLocker REvil Ryuk SunCrypt
2020-11-19FBIFBI
@techreport{fbi:20201119:mu000140mw:680c1f8, author = {FBI}, title = {{MU-000140-MW: Indicators of Compromise Associated with Ragnar Locker Ransomware}}, date = {2020-11-19}, institution = {FBI}, url = {https://www.waterisac.org/system/files/articles/FLASH-MU-000140-MW.pdf}, language = {English}, urldate = {2020-11-23} } MU-000140-MW: Indicators of Compromise Associated with Ragnar Locker Ransomware
RagnarLocker
2020-11-16Intel 471Intel 471
@online{471:20201116:ransomwareasaservice:11a5a8b, author = {Intel 471}, title = {{Ransomware-as-a-service: The pandemic within a pandemic}}, date = {2020-11-16}, organization = {Intel 471}, url = {https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/}, language = {English}, urldate = {2020-11-17} } Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Ransomware Clop Conti Ransomware DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX Ransomware
2020-11-11Kaspersky LabsDmitry Bestuzhev, Fedor Sinitsyn
@online{bestuzhev:20201111:targeted:e2e0c3a, author = {Dmitry Bestuzhev and Fedor Sinitsyn}, title = {{Targeted ransomware: it’s not just about encrypting your data! Part 1 - “Old and New Friends”}}, date = {2020-11-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/targeted-ransomware-encrypting-data/99255/}, language = {English}, urldate = {2020-11-11} } Targeted ransomware: it’s not just about encrypting your data! Part 1 - “Old and New Friends”
Egregor Maze RagnarLocker
2020-11-10KrebsOnSecurityBrian Krebs
@online{krebs:20201110:ransomware:91d390a, author = {Brian Krebs}, title = {{Ransomware Group Turns to Facebook Ads}}, date = {2020-11-10}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2020/11/ransomware-group-turns-to-facebook-ads/}, language = {English}, urldate = {2020-11-11} } Ransomware Group Turns to Facebook Ads
RagnarLocker
2020-11-05Bleeping ComputerLawrence Abrams
@online{abrams:20201105:capcom:e0ff215, author = {Lawrence Abrams}, title = {{Capcom hit by Ragnar Locker ransomware, 1TB allegedly stolen}}, date = {2020-11-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/capcom-hit-by-ragnar-locker-ransomware-1tb-allegedly-stolen/}, language = {English}, urldate = {2020-11-06} } Capcom hit by Ragnar Locker ransomware, 1TB allegedly stolen
RagnarLocker
2020-11-05ZDNetCharlie Osborne
@online{osborne:20201105:capcom:3667890, author = {Charlie Osborne}, title = {{Capcom quietly discloses cyberattack impacting email, file servers}}, date = {2020-11-05}, organization = {ZDNet}, url = {https://www.zdnet.com/article/capcom-quietly-discloses-cyberattack-impacting-email-file-servers/}, language = {English}, urldate = {2020-11-06} } Capcom quietly discloses cyberattack impacting email, file servers
RagnarLocker
2020-11-05Bleeping ComputerLawrence Abrams
@online{abrams:20201105:japanese:0221abc, author = {Lawrence Abrams}, title = {{Japanese game dev Capcom hit by cyberattack, business impacted}}, date = {2020-11-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/japanese-game-dev-capcom-hit-by-cyberattack-business-impacted/}, language = {English}, urldate = {2020-11-06} } Japanese game dev Capcom hit by cyberattack, business impacted
RagnarLocker
2020-10-23HornetsecurityHornetsecurity Security Lab
@online{lab:20201023:leakwareransomwarehybrid:ae1de8e, author = {Hornetsecurity Security Lab}, title = {{Leakware-Ransomware-Hybrid Attacks}}, date = {2020-10-23}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/}, language = {English}, urldate = {2020-12-08} } Leakware-Ransomware-Hybrid Attacks
Avaddon Ransomware Clop Conti Ransomware DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim Ransomware RagnarLocker REvil Sekhmet Ransomware SunCrypt
2020-09-25CrowdStrikeThe Crowdstrike Intel Team
@online{team:20200925:double:fe3b093, author = {The Crowdstrike Intel Team}, title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 1}}, date = {2020-09-25}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/}, language = {English}, urldate = {2020-10-02} } Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer FriedEx LockBit Maze MedusaLocker RagnarLocker REvil RobinHood SamSam WastedLocker
2020-09-24Kaspersky LabsKaspersky Lab ICS CERT
@techreport{cert:20200924:threat:2d7986d, author = {Kaspersky Lab ICS CERT}, title = {{Threat landscape for industrial automation systems - H1 2020}}, date = {2020-09-24}, institution = {Kaspersky Labs}, url = {https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf}, language = {English}, urldate = {2020-10-04} } Threat landscape for industrial automation systems - H1 2020
Poet RAT Mailto Milum RagnarLocker REvil Ryuk Snake Ransomware
2020-07-30WILDIRE LABSWILDFIRE LABS
@online{labs:20200730:dissecting:f58344d, author = {WILDFIRE LABS}, title = {{Dissecting Ragnar Locker: The Case Of EDP}}, date = {2020-07-30}, organization = {WILDIRE LABS}, url = {https://blog.blazeinfosec.com/dissecting-ragnar-locker-the-case-of-edp/}, language = {English}, urldate = {2020-11-09} } Dissecting Ragnar Locker: The Case Of EDP
RagnarLocker
2020-06-09McAfeeAlexandre Mundo
@online{mundo:20200609:ragnarlocker:1f58a4a, author = {Alexandre Mundo}, title = {{RagnarLocker Ransomware Threatens to Release Confidential Information}}, date = {2020-06-09}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ragnarlocker-ransomware-threatens-to-release-confidential-information}, language = {English}, urldate = {2020-06-10} } RagnarLocker Ransomware Threatens to Release Confidential Information
RagnarLocker
2020-05-21SophosSophosLabs Uncut
@online{uncut:20200521:ragnar:446eb50, author = {SophosLabs Uncut}, title = {{Ragnar Locker ransomware deploys virtual machine to dodge security}}, date = {2020-05-21}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/}, language = {English}, urldate = {2020-05-23} } Ragnar Locker ransomware deploys virtual machine to dodge security
RagnarLocker
2020-04-28MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200428:ransomware:3205f3a, author = {Microsoft Threat Protection Intelligence Team}, title = {{Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk}}, date = {2020-04-28}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/}, language = {English}, urldate = {2020-05-05} } Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk
LockBit Mailto Maze MedusaLocker Paradise Ransomware RagnarLocker REvil RobinHood
2020-04-14Bleeping ComputerSergiu Gatlan
@online{gatlan:20200414:ragnarlocker:2a77ec4, author = {Sergiu Gatlan}, title = {{RagnarLocker ransomware hits EDP energy giant, asks for €10M}}, date = {2020-04-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ragnarlocker-ransomware-hits-edp-energy-giant-asks-for-10m/}, language = {English}, urldate = {2020-04-16} } RagnarLocker ransomware hits EDP energy giant, asks for €10M
RagnarLocker
2020-02-04ID RansomwareAndrew Ivanov
@online{ivanov:20200204:ragnarlocker:7e8d324, author = {Andrew Ivanov}, title = {{RagnarLocker Ransomware}}, date = {2020-02-04}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/02/ragnarlocker-ransomware.html}, language = {Russian}, urldate = {2020-04-15} } RagnarLocker Ransomware
RagnarLocker
Yara Rules
[TLP:WHITE] win_ragnarlocker_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_ragnarlocker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnarlocker"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bf1 3375e8 2375ac 234de8 8b45d4 }
            // n = 5, score = 300
            //   8bf1                 | mov                 esi, ecx
            //   3375e8               | xor                 esi, dword ptr [ebp - 0x18]
            //   2375ac               | and                 esi, dword ptr [ebp - 0x54]
            //   234de8               | and                 ecx, dword ptr [ebp - 0x18]
            //   8b45d4               | mov                 eax, dword ptr [ebp - 0x2c]

        $sequence_1 = { c1e308 0bd8 0fb64133 0fa4de08 99 0bf2 c1e308 }
            // n = 7, score = 300
            //   c1e308               | shl                 ebx, 8
            //   0bd8                 | or                  ebx, eax
            //   0fb64133             | movzx               eax, byte ptr [ecx + 0x33]
            //   0fa4de08             | shld                esi, ebx, 8
            //   99                   | cdq                 
            //   0bf2                 | or                  esi, edx
            //   c1e308               | shl                 ebx, 8

        $sequence_2 = { 33d2 898508ffffff 8bd9 8b473c 33ff 898504ffffff 8b851cffffff }
            // n = 7, score = 300
            //   33d2                 | xor                 edx, edx
            //   898508ffffff         | mov                 dword ptr [ebp - 0xf8], eax
            //   8bd9                 | mov                 ebx, ecx
            //   8b473c               | mov                 eax, dword ptr [edi + 0x3c]
            //   33ff                 | xor                 edi, edi
            //   898504ffffff         | mov                 dword ptr [ebp - 0xfc], eax
            //   8b851cffffff         | mov                 eax, dword ptr [ebp - 0xe4]

        $sequence_3 = { 8bf1 8b45f4 0fa4c119 c1ee07 c1e019 0bd1 0bf0 }
            // n = 7, score = 300
            //   8bf1                 | mov                 esi, ecx
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   0fa4c119             | shld                ecx, eax, 0x19
            //   c1ee07               | shr                 esi, 7
            //   c1e019               | shl                 eax, 0x19
            //   0bd1                 | or                  edx, ecx
            //   0bf0                 | or                  esi, eax

        $sequence_4 = { 33de 8b75f8 0facd107 33f7 c1ea07 33d9 8b8d58ffffff }
            // n = 7, score = 300
            //   33de                 | xor                 ebx, esi
            //   8b75f8               | mov                 esi, dword ptr [ebp - 8]
            //   0facd107             | shrd                ecx, edx, 7
            //   33f7                 | xor                 esi, edi
            //   c1ea07               | shr                 edx, 7
            //   33d9                 | xor                 ebx, ecx
            //   8b8d58ffffff         | mov                 ecx, dword ptr [ebp - 0xa8]

        $sequence_5 = { 13f7 99 8975b0 8bd8 0fb64151 8bf2 0fa4de08 }
            // n = 7, score = 300
            //   13f7                 | adc                 esi, edi
            //   99                   | cdq                 
            //   8975b0               | mov                 dword ptr [ebp - 0x50], esi
            //   8bd8                 | mov                 ebx, eax
            //   0fb64151             | movzx               eax, byte ptr [ecx + 0x51]
            //   8bf2                 | mov                 esi, edx
            //   0fa4de08             | shld                esi, ebx, 8

        $sequence_6 = { 234de0 2345dc 2375d8 2355ec 33f1 }
            // n = 5, score = 300
            //   234de0               | and                 ecx, dword ptr [ebp - 0x20]
            //   2345dc               | and                 eax, dword ptr [ebp - 0x24]
            //   2375d8               | and                 esi, dword ptr [ebp - 0x28]
            //   2355ec               | and                 edx, dword ptr [ebp - 0x14]
            //   33f1                 | xor                 esi, ecx

        $sequence_7 = { 8bf9 0facd112 c1e70e c1ea12 0bfa 8975fc 8b55f0 }
            // n = 7, score = 300
            //   8bf9                 | mov                 edi, ecx
            //   0facd112             | shrd                ecx, edx, 0x12
            //   c1e70e               | shl                 edi, 0xe
            //   c1ea12               | shr                 edx, 0x12
            //   0bfa                 | or                  edi, edx
            //   8975fc               | mov                 dword ptr [ebp - 4], esi
            //   8b55f0               | mov                 edx, dword ptr [ebp - 0x10]

        $sequence_8 = { 8b55ec 8b4df8 03cf 13de 034860 135864 034d90 }
            // n = 7, score = 300
            //   8b55ec               | mov                 edx, dword ptr [ebp - 0x14]
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   03cf                 | add                 ecx, edi
            //   13de                 | adc                 ebx, esi
            //   034860               | add                 ecx, dword ptr [eax + 0x60]
            //   135864               | adc                 ebx, dword ptr [eax + 0x64]
            //   034d90               | add                 ecx, dword ptr [ebp - 0x70]

        $sequence_9 = { 0bf2 8b55f4 897dd8 8bfa }
            // n = 4, score = 300
            //   0bf2                 | or                  esi, edx
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]
            //   897dd8               | mov                 dword ptr [ebp - 0x28], edi
            //   8bfa                 | mov                 edi, edx

    condition:
        7 of them and filesize < 147456
}
Download all Yara Rules