SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ragnarlocker (Back to overview)

RagnarLocker

There is no description at this point.

References
2020-11-19FBIFBI
@techreport{fbi:20201119:mu000140mw:680c1f8, author = {FBI}, title = {{MU-000140-MW: Indicators of Compromise Associated with Ragnar Locker Ransomware}}, date = {2020-11-19}, institution = {FBI}, url = {https://www.waterisac.org/system/files/articles/FLASH-MU-000140-MW.pdf}, language = {English}, urldate = {2020-11-23} } MU-000140-MW: Indicators of Compromise Associated with Ragnar Locker Ransomware
RagnarLocker
2020-11-16Intel 471Intel 471
@online{471:20201116:ransomwareasaservice:11a5a8b, author = {Intel 471}, title = {{Ransomware-as-a-service: The pandemic within a pandemic}}, date = {2020-11-16}, organization = {Intel 471}, url = {https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/}, language = {English}, urldate = {2020-11-17} } Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Ransomware Clop Conti Ransomware DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX Ransomware
2020-11-11Kaspersky LabsDmitry Bestuzhev, Fedor Sinitsyn
@online{bestuzhev:20201111:targeted:e2e0c3a, author = {Dmitry Bestuzhev and Fedor Sinitsyn}, title = {{Targeted ransomware: it’s not just about encrypting your data! Part 1 - “Old and New Friends”}}, date = {2020-11-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/targeted-ransomware-encrypting-data/99255/}, language = {English}, urldate = {2020-11-11} } Targeted ransomware: it’s not just about encrypting your data! Part 1 - “Old and New Friends”
Egregor Maze RagnarLocker
2020-11-10KrebsOnSecurityBrian Krebs
@online{krebs:20201110:ransomware:91d390a, author = {Brian Krebs}, title = {{Ransomware Group Turns to Facebook Ads}}, date = {2020-11-10}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2020/11/ransomware-group-turns-to-facebook-ads/}, language = {English}, urldate = {2020-11-11} } Ransomware Group Turns to Facebook Ads
RagnarLocker
2020-11-05ZDNetCharlie Osborne
@online{osborne:20201105:capcom:3667890, author = {Charlie Osborne}, title = {{Capcom quietly discloses cyberattack impacting email, file servers}}, date = {2020-11-05}, organization = {ZDNet}, url = {https://www.zdnet.com/article/capcom-quietly-discloses-cyberattack-impacting-email-file-servers/}, language = {English}, urldate = {2020-11-06} } Capcom quietly discloses cyberattack impacting email, file servers
RagnarLocker
2020-11-05Bleeping ComputerLawrence Abrams
@online{abrams:20201105:japanese:0221abc, author = {Lawrence Abrams}, title = {{Japanese game dev Capcom hit by cyberattack, business impacted}}, date = {2020-11-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/japanese-game-dev-capcom-hit-by-cyberattack-business-impacted/}, language = {English}, urldate = {2020-11-06} } Japanese game dev Capcom hit by cyberattack, business impacted
RagnarLocker
2020-11-05Bleeping ComputerLawrence Abrams
@online{abrams:20201105:capcom:e0ff215, author = {Lawrence Abrams}, title = {{Capcom hit by Ragnar Locker ransomware, 1TB allegedly stolen}}, date = {2020-11-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/capcom-hit-by-ragnar-locker-ransomware-1tb-allegedly-stolen/}, language = {English}, urldate = {2020-11-06} } Capcom hit by Ragnar Locker ransomware, 1TB allegedly stolen
RagnarLocker
2020-09-25CrowdStrikeThe Crowdstrike Intel Team
@online{team:20200925:double:fe3b093, author = {The Crowdstrike Intel Team}, title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 1}}, date = {2020-09-25}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/}, language = {English}, urldate = {2020-10-02} } Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer FriedEx LockBit Maze MedusaLocker RagnarLocker REvil RobinHood SamSam WastedLocker
2020-09-24Kaspersky LabsKaspersky Lab ICS CERT
@techreport{cert:20200924:threat:2d7986d, author = {Kaspersky Lab ICS CERT}, title = {{Threat landscape for industrial automation systems - H1 2020}}, date = {2020-09-24}, institution = {Kaspersky Labs}, url = {https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf}, language = {English}, urldate = {2020-10-04} } Threat landscape for industrial automation systems - H1 2020
Poet RAT Mailto Milum RagnarLocker REvil Ryuk Snake Ransomware
2020-07-30WILDIRE LABSWILDFIRE LABS
@online{labs:20200730:dissecting:f58344d, author = {WILDFIRE LABS}, title = {{Dissecting Ragnar Locker: The Case Of EDP}}, date = {2020-07-30}, organization = {WILDIRE LABS}, url = {https://blog.blazeinfosec.com/dissecting-ragnar-locker-the-case-of-edp/}, language = {English}, urldate = {2020-11-09} } Dissecting Ragnar Locker: The Case Of EDP
RagnarLocker
2020-06-09McAfeeAlexandre Mundo
@online{mundo:20200609:ragnarlocker:1f58a4a, author = {Alexandre Mundo}, title = {{RagnarLocker Ransomware Threatens to Release Confidential Information}}, date = {2020-06-09}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ragnarlocker-ransomware-threatens-to-release-confidential-information}, language = {English}, urldate = {2020-06-10} } RagnarLocker Ransomware Threatens to Release Confidential Information
RagnarLocker
2020-05-21SophosSophosLabs Uncut
@online{uncut:20200521:ragnar:446eb50, author = {SophosLabs Uncut}, title = {{Ragnar Locker ransomware deploys virtual machine to dodge security}}, date = {2020-05-21}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/}, language = {English}, urldate = {2020-05-23} } Ragnar Locker ransomware deploys virtual machine to dodge security
RagnarLocker
2020-04-28MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200428:ransomware:3205f3a, author = {Microsoft Threat Protection Intelligence Team}, title = {{Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk}}, date = {2020-04-28}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/}, language = {English}, urldate = {2020-05-05} } Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk
LockBit Mailto Maze MedusaLocker Paradise Ransomware RagnarLocker REvil RobinHood
2020-04-14Bleeping ComputerSergiu Gatlan
@online{gatlan:20200414:ragnarlocker:2a77ec4, author = {Sergiu Gatlan}, title = {{RagnarLocker ransomware hits EDP energy giant, asks for €10M}}, date = {2020-04-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ragnarlocker-ransomware-hits-edp-energy-giant-asks-for-10m/}, language = {English}, urldate = {2020-04-16} } RagnarLocker ransomware hits EDP energy giant, asks for €10M
RagnarLocker
2020-02-04ID RansomwareAndrew Ivanov
@online{ivanov:20200204:ragnarlocker:7e8d324, author = {Andrew Ivanov}, title = {{RagnarLocker Ransomware}}, date = {2020-02-04}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/02/ragnarlocker-ransomware.html}, language = {Russian}, urldate = {2020-04-15} } RagnarLocker Ransomware
RagnarLocker
Yara Rules
[TLP:WHITE] win_ragnarlocker_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_ragnarlocker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnarlocker"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c745f40a000000 0f118570ffffff 8bb574ffffff 0f104110 8975d0 0f114580 }
            // n = 6, score = 200
            //   c745f40a000000       | mov                 dword ptr [ebp - 0xc], 0xa
            //   0f118570ffffff       | movups              xmmword ptr [ebp - 0x90], xmm0
            //   8bb574ffffff         | mov                 esi, dword ptr [ebp - 0x8c]
            //   0f104110             | movups              xmm0, xmmword ptr [ecx + 0x10]
            //   8975d0               | mov                 dword ptr [ebp - 0x30], esi
            //   0f114580             | movups              xmmword ptr [ebp - 0x80], xmm0

        $sequence_1 = { c783d000000000000000 53 897510 897d08 e8???????? }
            // n = 5, score = 200
            //   c783d000000000000000     | mov    dword ptr [ebx + 0xd0], 0
            //   53                   | push                ebx
            //   897510               | mov                 dword ptr [ebp + 0x10], esi
            //   897d08               | mov                 dword ptr [ebp + 8], edi
            //   e8????????           |                     

        $sequence_2 = { 8b55f0 c1e11e 0bf9 8b4de4 317de0 8bfa 0fa4ca19 }
            // n = 7, score = 200
            //   8b55f0               | mov                 edx, dword ptr [ebp - 0x10]
            //   c1e11e               | shl                 ecx, 0x1e
            //   0bf9                 | or                  edi, ecx
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]
            //   317de0               | xor                 dword ptr [ebp - 0x20], edi
            //   8bfa                 | mov                 edi, edx
            //   0fa4ca19             | shld                edx, ecx, 0x19

        $sequence_3 = { 884b74 b120 8b4648 8b564c e8???????? 884373 b128 }
            // n = 7, score = 200
            //   884b74               | mov                 byte ptr [ebx + 0x74], cl
            //   b120                 | mov                 cl, 0x20
            //   8b4648               | mov                 eax, dword ptr [esi + 0x48]
            //   8b564c               | mov                 edx, dword ptr [esi + 0x4c]
            //   e8????????           |                     
            //   884373               | mov                 byte ptr [ebx + 0x73], al
            //   b128                 | mov                 cl, 0x28

        $sequence_4 = { c1e912 0bd0 8b45f4 0bf1 33da 33fe 8bf0 }
            // n = 7, score = 200
            //   c1e912               | shr                 ecx, 0x12
            //   0bd0                 | or                  edx, eax
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   0bf1                 | or                  esi, ecx
            //   33da                 | xor                 ebx, edx
            //   33fe                 | xor                 edi, esi
            //   8bf0                 | mov                 esi, eax

        $sequence_5 = { 11558c 33db 8b55c8 8bf2 0fa4ca17 c1ee09 }
            // n = 6, score = 200
            //   11558c               | adc                 dword ptr [ebp - 0x74], edx
            //   33db                 | xor                 ebx, ebx
            //   8b55c8               | mov                 edx, dword ptr [ebp - 0x38]
            //   8bf2                 | mov                 esi, edx
            //   0fa4ca17             | shld                edx, ecx, 0x17
            //   c1ee09               | shr                 esi, 9

        $sequence_6 = { 50 e8???????? 83c40c ba3a000000 }
            // n = 4, score = 200
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   ba3a000000           | mov                 edx, 0x3a

        $sequence_7 = { 0f84e7010000 8d4d10 51 8d8d4cf5ffff 51 6804010000 50 }
            // n = 7, score = 200
            //   0f84e7010000         | je                  0x1ed
            //   8d4d10               | lea                 ecx, [ebp + 0x10]
            //   51                   | push                ecx
            //   8d8d4cf5ffff         | lea                 ecx, [ebp - 0xab4]
            //   51                   | push                ecx
            //   6804010000           | push                0x104
            //   50                   | push                eax

        $sequence_8 = { 0bd8 0fb6410f 0fa4de08 8b4d98 99 0bf2 c1e308 }
            // n = 7, score = 200
            //   0bd8                 | or                  ebx, eax
            //   0fb6410f             | movzx               eax, byte ptr [ecx + 0xf]
            //   0fa4de08             | shld                esi, ebx, 8
            //   8b4d98               | mov                 ecx, dword ptr [ebp - 0x68]
            //   99                   | cdq                 
            //   0bf2                 | or                  esi, edx
            //   c1e308               | shl                 ebx, 8

        $sequence_9 = { 8bf2 0fa4ca17 c1ee09 c1e117 0bda 8b550c 0bf1 }
            // n = 7, score = 200
            //   8bf2                 | mov                 esi, edx
            //   0fa4ca17             | shld                edx, ecx, 0x17
            //   c1ee09               | shr                 esi, 9
            //   c1e117               | shl                 ecx, 0x17
            //   0bda                 | or                  ebx, edx
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]
            //   0bf1                 | or                  esi, ecx

    condition:
        7 of them and filesize < 147456
}
Download all Yara Rules