Uncovering Ragnar_Locker Ransomware: Exploring IOCs

In the ever-evolving landscape of cyber threats, ransomware has proven to be one of the most notorious and damaging forms of attack. Among the various ransomware variants, RagnarLocker has garnered significant attention for its sophisticated tactics and impact on critical infrastructure sectors. In this blog post, we delve into the world of RagnarLocker ransomware, exploring its indicators of compromise (IOCs), technical intricacies, and the havoc it wreaks on targeted systems. 💥🔓

Ransomware Strikes Israeli Hospital: Ragnar_Locker Takes Responsibility 🏥

In a chilling turn of events, RagnarLocker’s menace struck closer to home as it targeted Mayanei Hayeshua Medical Center in Bnei Brak, Israel a few days ago. The ransomware attack wreaked havoc on the hospital’s administrative computer systems. The aftermath was devastating — medical treatments were disrupted, and the emergency room was compelled to redirect patients to other hospitals for urgent care.

Emerging from the chaos, Ragnar_Locker took responsibility for this audacious attack.

However, I’ve made a detailed investigation that yielded no signs of any leaked data or information on the group’s Onion site or Telegram group. This marks an unusual departure from the norm, where cybercriminals often flaunt their exploits on such platforms.

This incident serves as a grim reminder of the vulnerabilities lurking in critical infrastructure sectors, with healthcare being no exception. It underscores the pressing need for fortified cybersecurity measures to shield essential services from such malicious onslaughts. As the investigation into this unsettling event progresses, the global cybersecurity community will undoubtedly be closely monitoring further developments. 🌐🔒🦠

The Emergence of RagnarLocker 🌄💻

The first traces of RagnarLocker ransomware came to light in April 2020, catching the attention of cybersecurity experts and organizations worldwide. Notably, the Federal Bureau of Investigation (FBI) issued an initial report detailing known IOCs associated with RagnarLocker. Over time, this ransomware variant has evolved, refining its obfuscation techniques and evading traditional detection methods. 🚀🔍

A Persistent Threat 🎯🌐

As of January 2022, the FBI has identified over 52 entities spanning across 10 critical infrastructure sectors affected by RagnarLocker ransomware. These sectors encompass critical manufacturing, energy, financial services, government, and information technology, underscoring the ransomware’s indiscriminate targeting. 💼🏢🔒

Technical Insights 🔍💡

Ransom Note and Identification: RagnarLocker is recognizable by the “.RGNR_<ID>” extension appended to encrypted files. The actors, self-identifying as “RAGNAR_LOCKER,” accompany this extension with a .txt ransom note, containing instructions for payment and data decryption. 💰🔐📄

Advanced Packing Techniques: The ransomware employs advanced techniques like VMProtect, UPX, and custom packing algorithms, adding layers of complexity to its execution. This obfuscation serves to complicate detection efforts. 🧩🔒🔍

Geographical Targeting: RagnarLocker uses the Windows API GetLocaleInfoW to identify the infected machine’s location. If the victim’s location falls within certain geopolitical areas, the ransomware terminates its processes, potentially hinting at the attackers’ geopolitical motivations. 🗺️🌍🔍

Selective Encryption: Instead of opting for a widespread encryption approach, RagnarLocker selectively encrypts files. It designates folders it won’t encrypt, allowing the system to function “normally” while encrypting files with valuable data. This method minimizes disruptions while maximizing the potential payout. 📁🔒🤖

Before encryption, Ragnar Locker spawns the following child processes:

• wmic.exe shadowcopy delete: This system command deletes all shadow copies on the victim’s system, preventing data recovery by the victim
• vssadmin delete shadows /all /quiet: This system command also deletes shadow copies, preventing data recovery by the victim
• notepad.exe [User path]\RGNR_AABBCCDD.txt : This command launches Notepad.exe to show the ransom note to the victim.

After the ransom note is created, the actual file encryption process initiates using the __Salsa20__algorithm. It excludes files ending in .db, .sys, .dll, lnk, .msi, .drv and .exe.

Neutralizing Defenses 🛡️🚫

Service Termination: RagnarLocker goes a step further in its attack strategy by identifying and terminating services commonly used by managed service providers (MSPs) for remote network administration. This further hampers recovery efforts. 💔🔧

Shadow Copy Deletion: Preventing victim recovery efforts, the ransomware erases Volume Shadow Copies, a mechanism used to restore files to previous states. The malware employs various methods, including >vssadmin delete shadows /all /quiet and >wmic.exe.shadowcopy.delete. 🗑️🔮

Conclusion 📢🔐

RagnarLocker ransomware presents a multifaceted threat that combines advanced technical techniques with an intricate attack strategy. Its evolution since its discovery in 2020, along with its targeting of critical infrastructure sectors, underscores the urgency of bolstering cybersecurity measures to defend against this and similar threats. As organizations and security experts continue to dissect RagnarLocker’s mechanisms, it becomes increasingly evident that the fight against ransomware demands a proactive and collaborative approach, where vigilance and innovation go hand in hand. 🛡️🌐🔒

References:

• https://www.timesofisrael.com/liveblog_entry/bnei-brak-hospital-bracing-for-release-of-sensitive-patient-information-after-hack/
• https://www.ic3.gov/Media/News/2022/220307.pdf
• https://www.linkedin.com/showcase/dailydarkweb/
• https://www.pcrisk.com/removal-guides/17018-ragnar-locker-ransomware