Defense Evasion
- VirtualBox
RagnarLocker is a ransomware family commonly associated in the provided content with the Viking Spider threat group.
Profile source: Mallory opens in a new tabRagnarLocker
RagnarLocker is a ransomware family commonly associated in the provided content with the Viking Spider threat group. The content describes it as used in human-operated intrusions in which operators seek broad access and control inside a victim environment before encryption. Reported initial access methods include direct exploitation of systems, abuse of legitimate applications, and implantation of malware inside legitimate applications. Separate reporting in the content also states Mandiant observed evidence of UNC2447-affiliated actors previously using RAGNARLOCKER ransomware.
Behaviorally, RagnarLocker checks the victim system locale at startup using GetLocaleInfoW and terminates if the language matches an internal exclusion list dominated by CIS-region languages, including Belorussian, Azerbaijani, Ukrainian, Moldavian, Georgian, Armenian, Turkmen, Russian, Kyrgyz, Kazakh, Uzbek, and Tajik. It collects host and victim-identification data including the computer name, user data, the MachineGUID from the Microsoft Cryptography registry key, and the Windows ProductName from Windows NT\\CurrentVersion. It identifies disks prior to encryption and enumerates services via OpenSCManagerA and EnumServiceStatusA, comparing service names against an internal list associated with backup, security, and remote-management tooling. Service names mentioned in the content include vss, sql, memtas, mepocs, sophos, veeam, backup, pulseway, logme, logmein, connectwise, splashtop, and kaseya.
The malware creates a ransom note in Public\\Documents, obtains that path via SHGetSpecialFolderPathW, and stores or generates a victim identifier hash for communications. The content states RagnarLocker uses qTox for victim contact and that the ransom note demands payment, usually in cryptocurrency. During encryption, RagnarLocker skips selected folders, files, and extensions, and encrypted files contain inserted keys and a RAGNAR tag at the end. It also duplicates a token and uses interactive session logic to launch the ransom note in the default user session.
The content additionally references RagnarLocker in operational reporting: it is described as deployed by a group that heavily uses RDP and Cobalt Strike with stolen credentials, and it is cited in an attack against Israel's Mayanei Hayeshua hospital shortly before the October 2023 Israel-Hamas war.
Ransomware.live
Reported operators
Overview RagnarLocker is a Ransomware normally associated with the group Viking Spider... Finally, to execute the txt in the default session in which the RagnarLocker has worked...
Mandiant has observed evidence of UNC2447 affiliated actors previously using RAGNARLOCKER ransomware.
MITRE ATT&CK
Reporting
WIN-344VU98D3RU Windows Server 2012 R2 LockBit Conti Trickbot RagnarLocker RedLine infostealer Lampion infostealer
"RansomHouse... linked to... RagnarLocker"
"One month before the war in Israel began, the RagnarLocker ransomware group attacked Israel's Mayanei Hayeshua hospital."
Overview RagnarLocker is a Ransomware normally associated with the group Viking Spider... Finally, to execute the txt in the default session in which the RagnarLocker has worked...
Mandiant has observed evidence of UNC2447 affiliated actors previously using RAGNARLOCKER ransomware.
RagnarLocker, which is deployed by a group that heavily uses RDP and Cobalt Strike with stolen credentials
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.