RagnarLocker (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.ragnarlocker (Back to overview)

RagnarLocker

VTCollection

There is no description at this point.

References

2023-12-22 ⋅ PRODAFT ⋅ PRODAFT
Smoke and Mirrors: Understanding The Workings of Wazawaka
Conti Monti Babuk Hive LockBit RagnarLocker Trigona

2023-10-20 ⋅ TechCrunch ⋅ Carly Page
Authorities confirm RagnarLocker ransomware taken down during international sting
RagnarLocker RagnarLocker

2023-03-30 ⋅ United States District Court (Eastern District of New York) ⋅ Fortra, HEALTH-ISAC, Microsoft
Cracked Cobalt Strike (1:23-cv-02447)
Black Basta BlackCat LockBit RagnarLocker LockBit Black Basta BlackCat Cobalt Strike Cuba Emotet LockBit Mount Locker PLAY QakBot RagnarLocker Royal Ransom Zloader

2022-06-23 ⋅ Kaspersky ⋅ Danila Nasonov, Natalya Shornikova, Nikita Nazarov, Vasily Davydov, Vladislav Burtsev
The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)
BlackByte BlackCat Clop Conti Hive LockBit Mespinoza RagnarLocker

2022-05-05 ⋅ Intel 471 ⋅ Intel 471
Cybercrime loves company: Conti cooperated with other ransomware gangs
LockBit Maze RagnarLocker Ryuk

2022-05-01 ⋅ BushidoToken ⋅ BushidoToken
Gamer Cheater Hacker Spy
Egregor HelloKitty NetfilterRootkit RagnarLocker Winnti

2022-03-17 ⋅ Sophos ⋅ Tilly Travers
The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker

2022-03-09 ⋅ The Register ⋅ Jessica Lyons Hardcastle
Ragnar ransomware gang hit 52 critical US orgs, says FBI
RagnarLocker

2022-03-09 ⋅ Cyware ⋅ Cyware
Ragnar Locker Breached 52 Organizations and Counting, FBI Warns
RagnarLocker

2022-03-07 ⋅ FBI ⋅ FBI
FBI Flash CU-000163-MW: RagnarLocker Ransomware Indicators of Compromise
RagnarLocker

2022-03-07 ⋅ Bleeping Computer ⋅ Sergiu Gatlan
FBI: Ransomware gang breached 52 US critical infrastructure orgs
RagnarLocker

2022-02-28 ⋅ Trellix ⋅ Taylor Mullins
Trellix Global Defenders: Analysis and Protections for RagnarLocker Ransomware
RagnarLocker RagnarLocker

2022-01-20 ⋅ Cybleinc ⋅ Cyble
Deep Dive Into Ragnar_locker Ransomware Gang
RagnarLocker

2021-10-11 ⋅ Accenture ⋅ Accenture Cyber Threat Intelligence
Moving Left of the Ransomware Boom
REvil Cobalt Strike MimiKatz RagnarLocker REvil

2021-08-19 ⋅ Seguranca Informatica ⋅ Pedro Tavares
Ragnar Locker – Malware analysis
RagnarLocker

2021-08-15 ⋅ Symantec ⋅ Threat Hunter Team
The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker

2021-06-12 ⋅ Twitter (@AltShiftPrtScn) ⋅ Peter Mackenzie
A thread on RagnarLocker ransomware group's TTP seen in an Incident Response
Cobalt Strike RagnarLocker

2021-05-10 ⋅ DarkTracer ⋅ DarkTracer
Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX

2021-05-06 ⋅ Cyborg Security ⋅ Brandon Denker
Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX

2021-04-13 ⋅ CAPCOM ⋅ CAPCOM
4th Update Regarding Data Security Incident Due to Unauthorized Access:Investigation Results
RagnarLocker

2021-04-12 ⋅ ilbaroni
Unpacking RAGNARLOCKER via emulation
RagnarLocker

2021-04-07 ⋅ ANALYST1 ⋅ Jon DiMaggio
Ransom Mafia Analysis of the World's First Ransomware Cartel
Conti Egregor LockBit Maze RagnarLocker Ryuk SunCrypt TA2101 VIKING SPIDER

2021-04-07 ⋅ ANALYST1 ⋅ Jon DiMaggio
Ransom Mafia - Analysis of the World's First Ransomware Cartel
Conti Egregor LockBit Maze RagnarLocker SunCrypt VIKING SPIDER

2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER

2021-02-03 ⋅ Sophos Managed Threat Response (MTR) ⋅ Greg Iddon
MTR casebook: Uncovering a backdoor implant in a SolarWinds Orion server
RagnarLocker

2021-01-01 ⋅ Acronis ⋅ Acronis Security
Analysis of Ragnar Locker Ransomware
RagnarLocker

2020-12-16 ⋅ Accenture ⋅ Paul Mansfield
Tracking and combatting an evolving danger: Ransomware extortion
DarkSide Egregor Maze Nefilim RagnarLocker REvil Ryuk SunCrypt

2020-11-19 ⋅ FBI ⋅ FBI
MU-000140-MW: Indicators of Compromise Associated with Ragnar Locker Ransomware
RagnarLocker

2020-11-16 ⋅ Intel 471 ⋅ Intel 471
Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX

2020-11-11 ⋅ Kaspersky Labs ⋅ Dmitry Bestuzhev, Fedor Sinitsyn
Targeted ransomware: it’s not just about encrypting your data! Part 1 - “Old and New Friends”
Egregor Maze RagnarLocker

2020-11-10 ⋅ KrebsOnSecurity ⋅ Brian Krebs
Ransomware Group Turns to Facebook Ads
RagnarLocker

2020-11-05 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Capcom hit by Ragnar Locker ransomware, 1TB allegedly stolen
RagnarLocker

2020-11-05 ⋅ ZDNet ⋅ Charlie Osborne
Capcom quietly discloses cyberattack impacting email, file servers
RagnarLocker

2020-11-05 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Japanese game dev Capcom hit by cyberattack, business impacted
RagnarLocker

2020-10-23 ⋅ Hornetsecurity ⋅ Hornetsecurity Security Lab
Leakware-Ransomware-Hybrid Attacks
Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt

2020-09-25 ⋅ CrowdStrike ⋅ The Crowdstrike Intel Team
Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer FriedEx LockBit Maze MedusaLocker RagnarLocker REvil RobinHood SamSam WastedLocker MIMIC SPIDER PIZZO SPIDER TA2101 VIKING SPIDER

2020-09-24 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team
Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer Gandcrab LockBit Maze MedusaLocker RagnarLocker SamSam OUTLAW SPIDER OVERLORD SPIDER

2020-09-24 ⋅ Kaspersky Labs ⋅ Kaspersky Lab ICS CERT
Threat landscape for industrial automation systems - H1 2020
Poet RAT Mailto Milum RagnarLocker REvil Ryuk Snake

2020-08-25 ⋅ KELA ⋅ Victoria Kivilevich
How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing
Avaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil Sekhmet

2020-07-30 ⋅ WILDIRE LABS ⋅ WILDFIRE LABS
Dissecting Ragnar Locker: The Case Of EDP
RagnarLocker

2020-06-09 ⋅ McAfee ⋅ Alexandre Mundo
RagnarLocker Ransomware Threatens to Release Confidential Information
RagnarLocker

2020-05-21 ⋅ Sophos ⋅ SophosLabs Uncut
Ragnar Locker ransomware deploys virtual machine to dodge security
RagnarLocker

2020-04-28 ⋅ Microsoft ⋅ Microsoft Threat Protection Intelligence Team
Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk
LockBit Mailto Maze MedusaLocker Paradise RagnarLocker REvil RobinHood

2020-04-14 ⋅ Bleeping Computer ⋅ Sergiu Gatlan
RagnarLocker ransomware hits EDP energy giant, asks for €10M
RagnarLocker

2020-02-04 ⋅ ⋅ ID Ransomware ⋅ Andrew Ivanov
RagnarLocker Ransomware
RagnarLocker

Yara Rules

[TLP:WHITE] win_ragnarlocker_auto (20251219 | Detects win.ragnarlocker.)

rule win_ragnarlocker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-01-05"
        version = "1"
        description = "Detects win.ragnarlocker."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnarlocker"
        malpedia_rule_date = "20260105"
        malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79"
        malpedia_version = "20251219"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b7da4 0facd106 33fe c1ea06 33d9 8b4da8 33fa }
            // n = 7, score = 300
            //   8b7da4               | mov                 edi, dword ptr [ebp - 0x5c]
            //   0facd106             | shrd                ecx, edx, 6
            //   33fe                 | xor                 edi, esi
            //   c1ea06               | shr                 edx, 6
            //   33d9                 | xor                 ebx, ecx
            //   8b4da8               | mov                 ecx, dword ptr [ebp - 0x58]
            //   33fa                 | xor                 edi, edx

        $sequence_1 = { c1e017 0bd8 8b45cc 0bf9 8b4dd4 33d2 }
            // n = 6, score = 300
            //   c1e017               | shl                 eax, 0x17
            //   0bd8                 | or                  ebx, eax
            //   8b45cc               | mov                 eax, dword ptr [ebp - 0x34]
            //   0bf9                 | or                  edi, ecx
            //   8b4dd4               | mov                 ecx, dword ptr [ebp - 0x2c]
            //   33d2                 | xor                 edx, edx

        $sequence_2 = { 33d0 03de 8b4dfc 8b75f8 8bc6 13fa c745bc00000000 }
            // n = 7, score = 300
            //   33d0                 | xor                 edx, eax
            //   03de                 | add                 ebx, esi
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8b75f8               | mov                 esi, dword ptr [ebp - 8]
            //   8bc6                 | mov                 eax, esi
            //   13fa                 | adc                 edi, edx
            //   c745bc00000000       | mov                 dword ptr [ebp - 0x44], 0

        $sequence_3 = { 8bf1 0facd113 c1e60d c1ea13 0bf2 895da8 8b957cffffff }
            // n = 7, score = 300
            //   8bf1                 | mov                 esi, ecx
            //   0facd113             | shrd                ecx, edx, 0x13
            //   c1e60d               | shl                 esi, 0xd
            //   c1ea13               | shr                 edx, 0x13
            //   0bf2                 | or                  esi, edx
            //   895da8               | mov                 dword ptr [ebp - 0x58], ebx
            //   8b957cffffff         | mov                 edx, dword ptr [ebp - 0x84]

        $sequence_4 = { 33db 0bd9 8975a4 8b8d50ffffff 8bfa 0fa4ca03 c1ef1d }
            // n = 7, score = 300
            //   33db                 | xor                 ebx, ebx
            //   0bd9                 | or                  ebx, ecx
            //   8975a4               | mov                 dword ptr [ebp - 0x5c], esi
            //   8b8d50ffffff         | mov                 ecx, dword ptr [ebp - 0xb0]
            //   8bfa                 | mov                 edi, edx
            //   0fa4ca03             | shld                edx, ecx, 3
            //   c1ef1d               | shr                 edi, 0x1d

        $sequence_5 = { 56 8b75f8 56 6a03 6a3b 57 ff15???????? }
            // n = 7, score = 300
            //   56                   | push                esi
            //   8b75f8               | mov                 esi, dword ptr [ebp - 8]
            //   56                   | push                esi
            //   6a03                 | push                3
            //   6a3b                 | push                0x3b
            //   57                   | push                edi
            //   ff15????????         |                     

        $sequence_6 = { 8945e0 8b4594 8945e4 8b4590 8945e8 8b458c 8945c0 }
            // n = 7, score = 300
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   8b4594               | mov                 eax, dword ptr [ebp - 0x6c]
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   8b4590               | mov                 eax, dword ptr [ebp - 0x70]
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   8b458c               | mov                 eax, dword ptr [ebp - 0x74]
            //   8945c0               | mov                 dword ptr [ebp - 0x40], eax

        $sequence_7 = { 99 0bf2 c1e308 0bd8 0fb64143 0fa4de08 }
            // n = 6, score = 300
            //   99                   | cdq                 
            //   0bf2                 | or                  esi, edx
            //   c1e308               | shl                 ebx, 8
            //   0bd8                 | or                  ebx, eax
            //   0fb64143             | movzx               eax, byte ptr [ecx + 0x43]
            //   0fa4de08             | shld                esi, ebx, 8

        $sequence_8 = { 0bd8 0fb6410f 0fa4de08 8b4d98 99 0bf2 c1e308 }
            // n = 7, score = 300
            //   0bd8                 | or                  ebx, eax
            //   0fb6410f             | movzx               eax, byte ptr [ecx + 0xf]
            //   0fa4de08             | shld                esi, ebx, 8
            //   8b4d98               | mov                 ecx, dword ptr [ebp - 0x68]
            //   99                   | cdq                 
            //   0bf2                 | or                  esi, edx
            //   c1e308               | shl                 ebx, 8

        $sequence_9 = { c1ea0e 3175fc 0bfa 8b75dc 33df 8b7de0 f7d6 }
            // n = 7, score = 300
            //   c1ea0e               | shr                 edx, 0xe
            //   3175fc               | xor                 dword ptr [ebp - 4], esi
            //   0bfa                 | or                  edi, edx
            //   8b75dc               | mov                 esi, dword ptr [ebp - 0x24]
            //   33df                 | xor                 ebx, edi
            //   8b7de0               | mov                 edi, dword ptr [ebp - 0x20]
            //   f7d6                 | not                 esi

    condition:
        7 of them and filesize < 147456
}

Download all Yara Rules

RagnarLocker Propose Change

References

Yara Rules

RagnarLocker