Malware analysis

Ragnar locker malware: what it is, how it works and how to prevent it | Malware spotlight

Pedro Tavares
June 25, 2020 by
Pedro Tavares

The popularity of ransomware threats does not appear to be decreasing. Instead, more and sophisticated ransomware threats are being deployed. Ragnar Locker is a new data encryption malware in this style.

Ragnar Locker is ransomware that affects devices running Microsoft Windows operating systems. It was initially observed towards the end of December 2019 as part of a series of attacks against compromised networks.

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

In general, this malware is deployed manually after an initial compromise, network reconnaissance and pre-deployed tasks on the network. This shows that this is a more complex operation than most ransomware propagation campaigns.

Before starting the Ragnar Locker ransomware, attackers inject a module capable of collecting sensitive data from infected machines and upload it to their servers. Next, threat actors behind the malware notify the victim the files will be released to the public if the ransom is not paid.

 

Modus operandi

The next diagram shows how criminals are compromising infrastructures and organizations using this data encryption malware. [CLICK IMAGES TO ENLARGE]

Figure 1: High-level diagram of the Ragnar Locker infection chain.

As highlighted in the diagram above, there is a group of steps executed by Ragnar Locker operators every time an organization or infrastructure is impacted. Digging into the details, attackers first compromise networks, infrastructures and organizations using found vulnerabilities or even through social engineering such as phishing attacks, spearphishing and BEC attacks.

During the compromise process, reconnaissance, pre-deployment tasks and data exfiltration are performed before executing the piece of ransomware (Figure 1 — labels 1 and 2). When the data exfiltration process is completed, a ransomware deploy is performed manually (label 3).

Notice that each malware sample is unique, with the specific ransom note hardcoded inside the malware. The affected group name, the links to the bitcoin wallet and the links to a dark web blog are embedded inside the binary as presented below.

Figure 2: Parts of the ransom notes from the recent attacks.

When the ransomware starts, it enumerates running processes and stops if some of these services contain specific strings, such as:

  • Vss
  • sql
  • memtas
  • mepocs
  • sophos
  • veeam
  • backup
  • pulseway
  • logme
  • logmein
  • connectwise
  • splashtop
  • Kaseya

Table 1: Processes terminated by ransomware.

Ransomware in this line often disables some services as a way to bypass security protections and also database and backup systems to increase the impact of the attack. Also, database and mail services are stopped so that their data can be encrypted during the infection process.

One of the particularities that spotlight Ragnar Locker is that it is targeting specifically remote management software often used by managed service providers (MSPs), such as the popular ConnectWise and Kaseya software.

This data encryption malware infects computers based on their language settings. When first started, Ragnar Locker checks the configured Windows language preferences. This piece of malware terminates the process if the setting is configured as one of the former USSR countries.

Figure 3: Ragnar Locker stops when executed on former USSR countries.

After that, Ragnar Locker will begin the encryption process. When encrypting files, it will skip files in the following folders, file names and extensions.

One of the interesting findings is the “Tor browser” folder.

Figure 4: Folders not encrypted by Ragnar Locker.

This detail reveals this malware is also impacting security professionals and everyone that use this specific web browser to navigate in the dark web. The completed list can be observed in the following table.

  • kernel32.dll
  • Windows
  • Windows.old
  • Tor browser
  • Internet Explorer
  • Google
  • Opera
  • Opera Software
  • Mozilla
  • Mozilla Firefox
  • $Recycle.Bin
  • ProgramData
  • All Users
  • autorun.inf
  • boot.ini
  • bootfont.bin
  • bootsect.bak
  • bootmgr
  • bootmgr.efi
  • bootmgfw.efi
  • desktop.ini
  • iconcache.db
  • ntldr
  • ntuser.dat
  • ntuser.dat.log
  • ntuser.ini
  • thumbs.db
  • .sys
  • .dll
  • .lnk
  • .msi
  • .drv
  • .exe

Table 2: List of folders, files, and extensions not encrypted by Ragnar Locker.

Ragnar Locker adds the hardcoded extension “.ragnar_*” appended to the end of the file name and “*” is replaced by a generated and unique ID. All the available files inside physical drives are encrypted and, in the end, the notepad.exe process is opened and showing the ransom note file created on the victim’s system directory, as shown in the diagram below.

Figure 5: Ragnar Locker encryption process.

Figure 6: Ransom note created on “Public Documents” folder.

In detail, a ransom note file is dropped every folder, not including those observed in Table 2.

The ransom note file starts with the “RGNR_*” prefix, and the ID also used and appended to the encrypted files.

Figure 7: Ransom note file and parts of “Ragnar Secret key” redacted.

In order to encrypt the files, the malware gets and decodes the ransom note from the .keys sections, the public key and some configs.

Figure 8: PE file .keys sections with the ransom note, encryption public key and other configs encoded.

This section is decoded in runtime and can be observed below.

Figure 9: Public key, configs and ransom note decoded during the malware execution.

When a file is encrypted, the “RAGNAR” file marker is also added to the end of each encrypted file.

Figure 10: RAGNAR” marker appended at the end of the encrypted file.

This ransomware is not equipped with a mechanism to detect whether the computer has already been compromised. A particularity is that if the malware reaches the same device more than once, it will encrypt the device over and over again. Figure 11 presents this detail, where the files were encrypted three times by Ragnar Locker.

Figure 11: The same device compromised three times by Ragnar Locker.

Ragnar Locker and other mediatic ransomwares use several techniques and commands to damage the Windows shadow copies. With this process in place, repairing potential data encryption attacks is harder.

vssadmin delete shadows /all /quiet

wmic.exe shadowcopy delete

Table 3: Command used by Ragnar Locker to damage shadow copies.

Ragnar blog, ransom page and chat

Proof-of-Concept (PoC) files and images are published on the group blog on the dark web (Figure 1 — label 4) after a compromise.

Figure 12: Ragnar Locker blog available on the dark web.

Figure 13: A leak of a specific group compromised by Ragnar Locker operators in mid-April 2020.

Inside the malware is hardcoded a link to a page with a countdown and the process to pay the ransom.

Figure 14: Countdown page with the bitcoin wallet and chat button.

Figure 15: Chat used to perform communications between ransomware operators and victims.

Prevention measures

We are living in an era where ransomware continues to grow, and the number of attacks has increased especially during the COVID-19 pandemic. There is no magic solution to prevent attacks of this nature, however, there is a set of good practices that can be applied in order to minimize the impact of data encryption attack.

  • The use of an antivirus is mandatory. This software should be regularly updated
  • Patch updates regularly and update all the software including operating systems, network devices, applications, mobile phones and other software if applicable
  • Maintain a proper backup and restore mechanism and made it mandatory
  • Regularly test the recovery function of backup and restore procedures and also test the data integrity of backups
  • Conduct simulated ransomware preparedness tests. This is a rule of thumb to check the response of your ecosystem against these kinds of attacks
  • If you use Microsoft Office, install Microsoft Office viewers and always keep macros disabled by default
  • Limit access to mapped drives whenever possible and keep file sharing disabled by default. In general, ransomware looks into shared drives and encrypts files available on the network
  • Don’t enable remote services. The organizations with RDP, VPN, proxies and servers are to be provided with better IT security standards

Security awareness training should be introduced in order to improve cyber education. The download of anything from untrusted sources should be flagged in our mind as a dangerous task.

Sources

  1. Group EDP ransomware attack from scratch, Segurança Informática
Pedro Tavares
Pedro Tavares

Pedro Tavares is a professional in the field of information security working as an Ethical Hacker, Malware Analyst and a Security Evangelist. He is also Editor-in-Chief of the security computer blog seguranca-informatica.pt.

In recent years, he has invested in the field of information security, exploring and analyzing a wide range of topics, such as malware, reverse engineering, pentesting (Kali Linux), hacking/red teaming, mobile, cryptography, IoT, and security in computer networks. He is also a Freelance Writer.