Threat Research

Ransomware Roundup: Ragnar Locker Ransomware | FortiGuard Labs

Securonix

Fortinet’s Ragnar Locker Ransomware Roundup explains that Ragnar Locker encrypts files, exfiltrates data, and uses double extortion to pressure victims, including negotiations via a Tor-based site and leaking stolen information on a “Wall of Shame.” It also notes the actor’s targeting of critical infrastructures and the protective guidance and solutions Fortinet offers to defend against this variant. #RagnarLocker #WallOfShame #LockBit #Maze #CVE-2017-0213

Keypoints

  • Ragnar Locker uses double extortion: encrypting data and stealing information to pressure victims.
  • It deletes volume shadow copies and terminates services (e.g., vss, sql, veeam, logmein) to impede recovery.
  • Initial access commonly involves exposed RDP with brute-forcing and leaked credentials; privilege escalation leverages CVE-2017-0213.
  • Victims include at least 16 companies across North America, Europe, and Asia, with notable attacks on critical infrastructure such as a Greek natural gas provider.
  • Attackers maintain a Tor-based negotiation site and a “Wall of Shame” data-leak page to pressure victims and showcase stolen data.
  • FBI issued alerts in 2022 about the impact on multiple infrastructure sectors; Ragnar Locker reportedly partners with other actors like LockBit and Maze in a ransomware cartel.

MITRE Techniques

  • [T1133] External Remote Services – Initial access via RDP exposed to the internet using brute forcing and leaked credentials. (‘compromising the victim’s network through RDP services exposed to the internet using brute forcing techniques and leaked credentials.’)
  • [T1110] Brute Force – Credential access through brute-forcing techniques used to obtain access. (‘brute forcing techniques and leaked credentials.’)
  • [T1068] Exploitation for Privilege Escalation – CVE-2017-0213 used for privilege escalation and lateral movement. (‘CVE-2017-0213 (Windows COM Elevation of Privilege Vulnerability) is then reportedly leveraged for privilege escalation and lateral movement.’)
  • [T1021] Lateral Movement – Movement within the network after initial access and privilege escalation. (‘…and lateral movement.’)
  • [T1486] Data Encrypted for Impact – Encrypts files using Salsa20 and demands ransom. (‘encrypts files using the Salsa20 encryption algorithm’)
  • [T1490] Inhibit System Recovery – Deletes volume shadow copies to hinder recovery. (‘deletes volume shadow copies, inhibiting the victim’s ability to recover affected files.’)
  • [T1489] Service Stop – Terminates services such as vss, sql, veeam, logmein, etc. (‘terminates them if found.’)
  • [T1041] Exfiltration – Exfiltrates information from a compromised machine as part of double extortion. (‘exfiltrates information from a compromised machine’)

Indicators of Compromise

  • [File Hashes] context – sample hashes observed in the Ragnar Locker IOCs: d6a956684e7b3dc1e7c420b8ff2f8f3367f68cc5a7c440a8a2d8f78f1a59c859, ab2c3f3e1750b92273772624d2bbf1827bb066ac4b6e5fe7843c884f4d1dfae9, and 2 more hashes

Read more: https://www.fortinet.com/blog/threat-research/ransomware-roundup-ragnar-locker-ransomware

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint