Ragnarlocker Ransomware IOCs

Fortify Security Team
Apr 22, 2022

RagnarLocker is identified by the extension “.RGNR_<ID>,” where <ID> is a hash of the computer’s NETBIOS name. The actors, identifying themselves as “RAGNAR_LOCKER,” leave a .txt ransom note, with instructions on how to pay the ransom and decrypt the data. RagnarLocker uses VMProtect, UPX, and custom packing algorithms and deploys within an attacker’s custom Windows XP virtual machine on a target’s site.

Ragnar Locker uses Windows API GetLocaleInfoW to identify the location of the infected machine. If the victim location is identified as “Azerbaijani,” “Armenian,” “Belorussian,” “Kazakh,” “Kyrgyz,” “Moldavian,” “Tajik,” “Russian,” “Turkmen,” “Uzbek,” “Ukrainian,” or “Georgian,” the process terminates.

RagnarLocker checks for current infections to prevent multiple transform encryption of the data, potentially corrupting it. The binary gathers the unique machine GUID, operating system product name, and user name currently running the process. This data is sent through a custom hashing algorithm to generate a unique identifier: <HashedMachineGuid>-<HashedWindowsProductName>-<HashedUser>-<HashedComputerName>-<HashedAllDataTogether>.

RagnarLocker identifies all attached hard drives using Windows APIs: CreateFileW, DeviceIoControl, GetLogicalDrives, and SetVolumeMountPointA. The ransomware assigns a drive letter to any volumes not assigned a logical drive letter and makes them accessible. These newly attached volumes are later encrypted during the final stage of the binary.

RagnarLocker iterates through all running services and terminates services commonly used by managed service providers to remotely administer networks. The malware then attempts to silently delete all Volume Shadow Copies, preventing user recovery of encrypted files, using two different methods:

  • >vssadmin delete shadows /all /quiet
  • >wmic.exe.shadowcopy.delete

Lastly, RagnarLocker encrypts all available files of interest. Instead of choosing which files to encrypt, RagnarLocker chooses which folders it will not encrypt. Taking this approach allows the computer to continue to operate “normally” while the malware encrypts files with known and unknown extensions containing data of value to the victim. For example, if the logical drive being processed is the C: drive, the malware does not encrypt files in the following folders:

  • Windows
  • old
  • Mozilla
  • Mozilla Firefox
  • Tor browser
  • Internet Explorer
  • $Recycle.Bin
  • Program Data
  • Google
  • Opera
  • Opera Software

Also, when iterating through files, the malware does not encrypt files with the following extensions:

  • .db
  • .sys
  • .dll
  • .lnk
  • .msi
  • .drv
  • .exe

Indicators

The following IOCs are associated with RagnarLocker ransomware, as of January 2022.

RagnarLocker IOCs as of January 2022
IP address                   Context                                              Timeframe
185.138.164.18 IP accessing confluence server 2021-09-03 10:53:56 – 2021-09-

21 18:46:40

185.172.129.215 IP accessing confluence server 2021-09-01 20:49:56 – 2021-09-

03 10:45:50

45.144.29.2 IP accessing confluence server 2021-09-12 21:34:13 -02021-09-

16 14:28:19

23.106.122.192 IP seen with updt32.exe proxy

malware

2021-09-27 20:07
45.90.59.131 IP resolution for secanalytics C2 domain 2021-09-17 16:27
149.28.200.140 IP address involved in PSCP

activity

2021-09-10 19:20

 

IP address                   Context                                              Timeframe
 

193.42.36.53

IP address resolution for windows-analytics-

prod12ms[.]com

 

2021-10-01 14:41

45.63.89.250 IP address belonging to

ctlmon.exe – GOTROJ malware

2021-09-11 13:13
190.211.254.181 IP address involved in data

exfiltration

2021-10-27 11:30:35
142.44.236.38 IP address involved in data

exfiltration

2021-11-03 8:16
37.120.238.107 IP address involved in data

exfiltration

2021-10-19 21:22:48 – 2021-10-

26 13:12:56

 

95.216.196.181

C2 embedded in malware

(snmp.dat and bash.dat and esync.exe)

 

2021-11-11 19:20

 

162.55.38.44

C2 embedded in malware

(snmp.dat and bash.dat and esync.exe)

 

2021-11-11 19:20

 

116.203.132.32

C2 embedded in malware

(snmp.dat and bash.dat and esync.exe)

 

2021-11-11 19:20

 

49.12.212.231

C2 embedded in malware (snmp.dat and bash.dat and

esync.exe)

 

2021-11-11 19:20

193.42.39.10 seen as argument to inetinfo.exe 2021-11-22 17:12
 

193.111.153.24

(ssl-secure-com2048[.]com) – bash, snmp, 7z, and psexec

downloaded from this domain

 

2021-11-18 20:38

178.32.222.98 IP address involved in data

exfiltration

2021-10-30 16:25
23.227.202.72 IP address involved in data

exfiltration

2021-11-26 14:18:21 – 2021-12-

14 11:12:19

159.89.163 NA 2021-06-05
50.201.185.11  

NA

2021-03-26 19:28 UTC +3
47.35.60.92 NA 2021-09-03 11:40 UTC +3
108.26.193.165 NA 2021-05-13 14:01 GMT +3
108.56.142.135 NA 2021-03-25 17:16:55 GMT +1
198.12.81.56 NA 2021-10/11
198.12.127.199 NA 2021-10/11
45.91.93.75 NA 2021-03-18

 

 

IP address                   Context                                              Timeframe
217.25.93.106 NA 2021-03-21
45.146.164.193 NA 2020-10-05
89.40.10.25 NA 2020-10-10
5.45.65.52 NA NA
79.141.160.43 (URL:

izugz.envisting.xyz)

 

NA

 

2021-05-24

 

 

Bitcoin Addresses: Timeframe
19kcqKevFZhiX7NFLa5wAw4JBjWLcpwp3e 2021-04-30
1CG8RAqNaJCrmEdVLK7mm2mTuuK28dkzCU 2021-03
151Ls8urp6e2D1oXjEQAkvqogSn3TS8pp6 2021-02-27

 

Email Addresses: Timeframe
[email protected] 2021-040-03
[email protected] 2021-05-25
[email protected] (linked by SMS) NA
[email protected] NA
[email protected] NA
[email protected] NA
[email protected]  (cookie-linked) NA
[email protected] NA
[email protected] NA
[email protected] NA
[email protected] NA
[email protected] NA
[email protected] NA

 

Information Requested:

The FBI does not encourage paying a ransom to criminal actors. Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, or fund illicit activities. Paying the ransom also does not guarantee a victim’s files will be recovered. However, the FBI understands when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers. Regardless of whether you or your organization decides to pay the ransom, the FBI urges you to report ransomware incidents to your local field office. Doing so provides investigators and analysts with the critical information they need to track ransomware attackers, hold them accountable under US law, and prevent future attacks.

The FBI may seek the following information:

SHORT TERM ITEMS

  • Copy of the ransom note (screen shot/picture/text file).
  • Any discovered malicious IPs with time stamps/time zones (unusual RDP connections/unusual VPN connections/beacons to malicious IPs).
  • Virtual currency addresses/amount of
  • Any malicious files (executables/binaries).
  • Summary of timeline of events (dates of initial observation/malicious activity).
  • Evidence of data

LONG TERM ITEMS

  • Brief summary of where the IOCs came
  • Incident response
  • Copy of any communications with malicious
  • Forensic images and memory
  • Host and network
  • Any available
  • Scope of impact (amount of loss).

Recommended Mitigations:

  • Back-up critical data
  • Ensure copies of critical data are in the cloud or on an external hard drive or storage device. This information should not be accessible from the compromised network.
  • Secure your back-ups and ensure data is not accessible for modification or deletion from the system where the data resides.
  • Use multi-factor authentication with strong passwords, including for remote access
  • Keep computers, devices, and applications patched and up-to-
  • Monitor cyber threat reporting regarding the publication of compromised VPN login credentials and change passwords and settings.
  • Consider adding an email banner to emails received from outside your
  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
  • Implement network

 

Recent Posts

Maui Ransomware – Technical Details

Since May 2021, the FBI has observed and responded to multiple Maui ransomware incidents at Healthcare and Public Health (HPH) Sector organizations. North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for...

MedusaLocker Ransomware Technical Details

Observed as recently as May 2022, MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks. The MedusaLocker actors encrypt the victim’s data and leave a ransom note with communication instructions in every...

Karakurt Data Extortion Group

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), and the Financial Crimes Enforcement Network (FinCEN) are releasing this joint Cybersecurity Advisory (CSA) to provide...

CVE-2022-30190 aka Follina

Move over log4j, there is a new 0-day vulnerability being exploited in the wild. The first sample that exploits the vulnerability appeared on VirusTotal on April 12th, 2022. Successful exploitation allows an attacker to run arbitrary code with the privileges of the...

BlackCat/ALPHV Ransomware IOCs

As of March 2022, BlackCat/ALPHV ransomware as a service (RaaS) had compromised at least 60 entities worldwide and is the first ransomware group to do so successfully using RUST, considered to be a more secure programming language that offers improved performance and...

IOCs Associated with Ranzy Locker Ransomware

The FBI first identified Ranzy Locker ransomware in late 2020 when the variant began to target victims in the United States. Unknown cyber criminals using Ranzy Locker ransomware had compromised more than 30 US businesses as of July 2021. The victims include the...

Conti Ransomware

While Conti is considered a ransomware-as-a-service (RaaS) model ransomware variant, there is variation in its structure that differentiates it from a typical affiliate model. It is likely that Conti developers pay the deployer's of the ransomware a wage rather than a...