Threat Research

Threat Actor Spotlight: RagnarLocker Ransomware – Sygnia

Securonix

Sygnia analyzes RagnarLocker, detailing its double-extortion operations against critical infrastructure and the group’s TTPs, including the use of RMS and AnyDesk for C2 and data exfiltration. The report also offers mitigations and hunting guidance to help organizations defend against this actor. #RagnarLocker #RMS #AnyDesk #PsExec #RDP #WinRAR #HideUL #LANSearchPro

Keypoints

  • RagnarLocker is a ransomware threat actor that targets critical infrastructure sectors with double-extortion tactics.
  • Initial access often comes from exploiting a known vulnerability in an external-facing remote service, highlighting patch management and KEV prioritization.
  • Sygnia identified custom tooling (logs.ps1) for Windows Event Log discovery and internal network reconnaissance.
  • Remote Admin tools RMS and AnyDesk were used for C2 and data exfiltration, with HideUL masking RMS presence.
  • Ransomware deployment relied on PsExec, creation of a local admin account, and batch scripts that install AnyDesk and deploy the encryptor.
  • Forensics artifacts (RMS logs, installation logs, and registry changes) provide indicators of compromise and recovery avenues.

MITRE Techniques

  • [T1133] External Remote Services – Initial access obtained by exploiting a software vulnerability in an external facing service. ‘Initial access was obtained by exploiting a software vulnerability in an external facing service.’
  • [T1087.002] Account Discovery: Domain Account – Discovery to determine which accounts are allowed to perform Remote Desktop connections and between which systems. ‘to determine which accounts are allowed to perform Remote Desktop connections and between which systems.’
  • [T1082] System Information Discovery – ‘gather information about the operation systems along with Dsquery which was used to query the active directory’
  • [T1018] Remote System Discovery – ‘Get-EventLog … for IP addresses and usernames’ and related discovery activities
  • [T1016] System Network Configuration Discovery – ‘IP addresses and usernames’ identified during logs.ps1-based discovery
  • [T1021.001] Remote Services: Remote Desktop Protocol – Lateral movement based on RDP using output from logs.ps1 to identify target systems
  • [T1564] Hide Artifacts – ‘Hide from Uninstall List’ by removing RMS from the Windows uninstall registry key
  • [T1003.001] OS Credential Dumping: LSASS Memory – LSASS dump to obtain credentials
  • [T1003.002] OS Credential Dumping: Security Account Manager – credential access methods referenced via credential dumping tooling
  • [T1136.001] Create Account: Local Account – Creation of a local user account (Defau1t) and adding to local admins
  • [T1136.002] Create Account: Domain Account – Domain-related account creation flows observed in activity
  • [T1546.012] Event Triggered Execution: Image File Execution Options Injection – persistence/execution techniques involved
  • [T1078.002] Valid Accounts: Domain Accounts – use of valid accounts for later stages
  • [T1564] Hide Artifacts – Hide tools and traces (e.g., registry cleanup)
  • [T1039] Data from Network Shared Drive – data discovery across network shares
  • [T1071.001] Application Layer Protocol: Web Protocols – C2 over web protocols via RMS/AnyDesk
  • [T1219] Remote Access Software – use of AnyDesk for remote access
  • [T1048] Exfiltration Over Alternative Protocol – data exfiltration using legitimate tools (AnyDesk)
  • [T1486] Data Encrypted for Impact – ransomware encryptor deployment
  • [T1490] Inhibit System Recovery – registry and boot-related modifications to hinder recovery

Indicators of Compromise

  • [IP Address] RMS command & control – 179.60.150.74
  • [Hostname] attacker workstation – WIN-344VU98D3RU
  • [Filename] Batch/scripts – any.bat, regedit_minimal.bat, run.bat
  • [Filename] Ransomware components – 1.rar, 1.ra, logs.ps1
  • [MD5 Hash] – c6f3f15ad587f8c419f274033a599552, 3b849bece3794e082c495d12593c4f5e
  • [Path] Working directories – %PUBLIC%, %PROGRAMDATA%Remote Manipulator Systeminstall.log
  • [MD5 Hash] – 59e6919b61bcef4225d571e10fb13ef2
  • [Registry Key] – HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionUninstall (RMS hide entry)
  • [Username] – Defau1t
  • [Computer Name] – WIN-344VU98D3RU
  • [Filename]] rms.host.7.1.2.0.exe – RMS installation file
  • [Filename] lansearchpro_setup.exe – Lan Search Pro tool used in recon

Read more: https://blog.sygnia.co/threat-actor-spotlight-ragnarlocker-ransomware

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint