SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ragnarlocker (Back to overview)

RagnarLocker


There is no description at this point.

References
2020-06-09McAfeeAlexandre Mundo
@online{mundo:20200609:ragnarlocker:1f58a4a, author = {Alexandre Mundo}, title = {{RagnarLocker Ransomware Threatens to Release Confidential Information}}, date = {2020-06-09}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ragnarlocker-ransomware-threatens-to-release-confidential-information}, language = {English}, urldate = {2020-06-10} } RagnarLocker Ransomware Threatens to Release Confidential Information
RagnarLocker
2020-05-21SophosSophosLabs Uncut
@online{uncut:20200521:ragnar:446eb50, author = {SophosLabs Uncut}, title = {{Ragnar Locker ransomware deploys virtual machine to dodge security}}, date = {2020-05-21}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/}, language = {English}, urldate = {2020-05-23} } Ragnar Locker ransomware deploys virtual machine to dodge security
RagnarLocker
2020-04-28MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200428:ransomware:3205f3a, author = {Microsoft Threat Protection Intelligence Team}, title = {{Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk}}, date = {2020-04-28}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/}, language = {English}, urldate = {2020-05-05} } Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk
LockBit Mailto Maze MedusaLocker Paradise Ransomware RagnarLocker REvil RobinHood
2020-04-14Bleeping ComputerSergiu Gatlan
@online{gatlan:20200414:ragnarlocker:2a77ec4, author = {Sergiu Gatlan}, title = {{RagnarLocker ransomware hits EDP energy giant, asks for €10M}}, date = {2020-04-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ragnarlocker-ransomware-hits-edp-energy-giant-asks-for-10m/}, language = {English}, urldate = {2020-04-16} } RagnarLocker ransomware hits EDP energy giant, asks for €10M
RagnarLocker
2020-02-04ID RansomwareAndrew Ivanov
@online{ivanov:20200204:ragnarlocker:7e8d324, author = {Andrew Ivanov}, title = {{RagnarLocker Ransomware}}, date = {2020-02-04}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/02/ragnarlocker-ransomware.html}, language = {Russian}, urldate = {2020-04-15} } RagnarLocker Ransomware
RagnarLocker
Yara Rules
[TLP:WHITE] win_ragnarlocker_auto (20200817 | autogenerated rule brought to you by yara-signator)
rule win_ragnarlocker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-08-17"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnarlocker"
        malpedia_rule_date = "20200817"
        malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5"
        malpedia_version = "20200817"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0bf0 3175bc 234db4 8b75c8 8b45a0 33f2 2345f0 }
            // n = 7, score = 200
            //   0bf0                 | or                  esi, eax
            //   3175bc               | xor                 dword ptr [ebp - 0x44], esi
            //   234db4               | and                 ecx, dword ptr [ebp - 0x4c]
            //   8b75c8               | mov                 esi, dword ptr [ebp - 0x38]
            //   8b45a0               | mov                 eax, dword ptr [ebp - 0x60]
            //   33f2                 | xor                 esi, edx
            //   2345f0               | and                 eax, dword ptr [ebp - 0x10]

        $sequence_1 = { 8bf1 0fa4c11e c1ee02 c1e01e 0bf0 8955f4 3175f4 }
            // n = 7, score = 200
            //   8bf1                 | mov                 esi, ecx
            //   0fa4c11e             | shld                ecx, eax, 0x1e
            //   c1ee02               | shr                 esi, 2
            //   c1e01e               | shl                 eax, 0x1e
            //   0bf0                 | or                  esi, eax
            //   8955f4               | mov                 dword ptr [ebp - 0xc], edx
            //   3175f4               | xor                 dword ptr [ebp - 0xc], esi

        $sequence_2 = { 2bc1 3bc3 7d11 660f1f440000 803e0d 7406 }
            // n = 6, score = 200
            //   2bc1                 | sub                 eax, ecx
            //   3bc3                 | cmp                 eax, ebx
            //   7d11                 | jge                 0x13
            //   660f1f440000         | nop                 word ptr [eax + eax]
            //   803e0d               | cmp                 byte ptr [esi], 0xd
            //   7406                 | je                  8

        $sequence_3 = { 0fb64f1f 0fb6471e c1e108 0bc8 0fb6471d }
            // n = 5, score = 200
            //   0fb64f1f             | movzx               ecx, byte ptr [edi + 0x1f]
            //   0fb6471e             | movzx               eax, byte ptr [edi + 0x1e]
            //   c1e108               | shl                 ecx, 8
            //   0bc8                 | or                  ecx, eax
            //   0fb6471d             | movzx               eax, byte ptr [edi + 0x1d]

        $sequence_4 = { 317db4 0bf2 3175b8 33f6 8b55f8 8bfa 8b4dc4 }
            // n = 7, score = 200
            //   317db4               | xor                 dword ptr [ebp - 0x4c], edi
            //   0bf2                 | or                  esi, edx
            //   3175b8               | xor                 dword ptr [ebp - 0x48], esi
            //   33f6                 | xor                 esi, esi
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   8bfa                 | mov                 edi, edx
            //   8b4dc4               | mov                 ecx, dword ptr [ebp - 0x3c]

        $sequence_5 = { 8b75ec 334d84 33f2 8b4590 2345c8 334588 8b55e8 }
            // n = 7, score = 200
            //   8b75ec               | mov                 esi, dword ptr [ebp - 0x14]
            //   334d84               | xor                 ecx, dword ptr [ebp - 0x7c]
            //   33f2                 | xor                 esi, edx
            //   8b4590               | mov                 eax, dword ptr [ebp - 0x70]
            //   2345c8               | and                 eax, dword ptr [ebp - 0x38]
            //   334588               | xor                 eax, dword ptr [ebp - 0x78]
            //   8b55e8               | mov                 edx, dword ptr [ebp - 0x18]

        $sequence_6 = { 33f7 33d9 c1ea07 8b8d28ffffff 33f2 8b9524ffffff }
            // n = 6, score = 200
            //   33f7                 | xor                 esi, edi
            //   33d9                 | xor                 ebx, ecx
            //   c1ea07               | shr                 edx, 7
            //   8b8d28ffffff         | mov                 ecx, dword ptr [ebp - 0xd8]
            //   33f2                 | xor                 esi, edx
            //   8b9524ffffff         | mov                 edx, dword ptr [ebp - 0xdc]

        $sequence_7 = { ff15???????? 6a00 6a00 6a00 6a02 6a00 8bd8 }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a02                 | push                2
            //   6a00                 | push                0
            //   8bd8                 | mov                 ebx, eax

        $sequence_8 = { 0bd8 0fb6410f 0fa4de08 8b4d98 99 0bf2 c1e308 }
            // n = 7, score = 200
            //   0bd8                 | or                  ebx, eax
            //   0fb6410f             | movzx               eax, byte ptr [ecx + 0xf]
            //   0fa4de08             | shld                esi, ebx, 8
            //   8b4d98               | mov                 ecx, dword ptr [ebp - 0x68]
            //   99                   | cdq                 
            //   0bf2                 | or                  esi, edx
            //   c1e308               | shl                 ebx, 8

        $sequence_9 = { 0fa4de08 99 c1e308 0bf2 0bd8 0fb64112 }
            // n = 6, score = 200
            //   0fa4de08             | shld                esi, ebx, 8
            //   99                   | cdq                 
            //   c1e308               | shl                 ebx, 8
            //   0bf2                 | or                  esi, edx
            //   0bd8                 | or                  ebx, eax
            //   0fb64112             | movzx               eax, byte ptr [ecx + 0x12]

    condition:
        7 of them and filesize < 147456
}
Download all Yara Rules