Skip to content
Ransomware group

RagnarLocker

RagnarLocker is a ransomware family commonly associated in the provided content with the Viking Spider threat group.

Profile source: Mallory opens in a new tab

RagnarLocker

Family profile

RagnarLocker is a ransomware family commonly associated in the provided content with the Viking Spider threat group. The content describes it as used in human-operated intrusions in which operators seek broad access and control inside a victim environment before encryption. Reported initial access methods include direct exploitation of systems, abuse of legitimate applications, and implantation of malware inside legitimate applications. Separate reporting in the content also states Mandiant observed evidence of UNC2447-affiliated actors previously using RAGNARLOCKER ransomware.

Behaviorally, RagnarLocker checks the victim system locale at startup using GetLocaleInfoW and terminates if the language matches an internal exclusion list dominated by CIS-region languages, including Belorussian, Azerbaijani, Ukrainian, Moldavian, Georgian, Armenian, Turkmen, Russian, Kyrgyz, Kazakh, Uzbek, and Tajik. It collects host and victim-identification data including the computer name, user data, the MachineGUID from the Microsoft Cryptography registry key, and the Windows ProductName from Windows NT\\CurrentVersion. It identifies disks prior to encryption and enumerates services via OpenSCManagerA and EnumServiceStatusA, comparing service names against an internal list associated with backup, security, and remote-management tooling. Service names mentioned in the content include vss, sql, memtas, mepocs, sophos, veeam, backup, pulseway, logme, logmein, connectwise, splashtop, and kaseya.

The malware creates a ransom note in Public\\Documents, obtains that path via SHGetSpecialFolderPathW, and stores or generates a victim identifier hash for communications. The content states RagnarLocker uses qTox for victim contact and that the ransom note demands payment, usually in cryptocurrency. During encryption, RagnarLocker skips selected folders, files, and extensions, and encrypted files contain inserted keys and a RAGNAR tag at the end. It also duplicates a token and uses interactive session logic to launch the ransom note in the default user session.

The content additionally references RagnarLocker in operational reporting: it is described as deployed by a group that heavily uses RDP and Cobalt Strike with stolen credentials, and it is cited in an attack against Israel's Mayanei Hayeshua hospital shortly before the October 2023 Israel-Hamas war.

Ransomware.live

Operational record

View group record ↗

Defense Evasion

  • VirtualBox

Discovery Enum

  • Advanced Port Scanner
  • Dsquery
  • PsInfo
  • SoftPerfect LanSearchPro

LOLBAS

  • PsExec
  • WMIC

Offsec

  • Cobalt Strike

RMM Tools

  • AnyDesk
  • Remote Manipulator System (RMS)
  • RemoteUtilities

Reported operators

Threat actors

2 named in public reporting
VIKING SPIDER

Overview RagnarLocker is a Ransomware normally associated with the group Viking Spider... Finally, to execute the txt in the default session in which the RagnarLocker has worked...

UNC2447

Mandiant has observed evidence of UNC2447 affiliated actors previously using RAGNARLOCKER ransomware.

MITRE ATT&CK

RagnarLocker in ATT&CK

20 distinct techniques

Reporting

Research mentioning RagnarLocker

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.