Jump to content

RagnarLocker

Add links
From Wikipedia, the free encyclopedia

RagnarLocker (sometimes written "Ragnar Locker") is a ransomware hacker group which uses virtual machine escape techniques to encrypt victim's system files. It first surfaced in December 2019.[1]

RagnarLocker
AbbreviationRagnar Locker
FormationDecember 2019
TypeHacking
PurposeExtortion

History

[edit]

First appearing at the end of 2019, (likely originating from Eastern Europe considering that it doesn't attack computers in former USSR countries,)[2] it carried out its first major attack on the Portuguese electric company Energias de Portugal,[3] where it demanded a ransom of 10.9 million dollars and threatened to leak 10 terabytes of data.

During 2022, it also attacked video game company Capcom, and the beverage company Campari.[4][5][6]

Function

[edit]

Ragnar Locker operates by using an eponymously named malware called RagnarLocker.[7] First, the dropper (usually delivered through a vulnerability in Remote Desktop Protocol) checks the operating system. If it's set to a language used in the former Soviet Union, it stops. Otherwise, it starts by sending a copy of system files to its central server and then downloads a package containing a version of VirtualBox configured to display the host computer and an image of Windows XP that contains the malware, which itself is only about 49 kB in size.[8]

The dropper, after disabling security-related services or services that could keep logs active (like DBMS software), launches the virtual machine and the ransomware via a batch script. The ransomware begins encrypting files on the host computer without raising suspicion, since the commands appear to come from VirtualBox rather than the ransomware itself.[9]

At the end of the process, a personalized ransom note is left behind on the victims computer.[10]

Arrests

[edit]

Between the days of October 16 and 20, 2023, Europol and Eurojust conducted a series of seizures and arrests in Czechia, Spain and Latvia in response to RagnarLockers criminal activity.[11] On October 20, an alleged main suspect and developer, had been brought in front of examining magistrates of the Paris Judicial Court.[12]

The ransomware’s infrastructure was also seized in the Netherlands, Germany and Sweden and the associated data leak website on Tor was taken down in Sweden.[13]

References

[edit]
  1. ^ https://www.bleepingcomputer.com/news/security/ragnar-locker-ransomware-developer-arrested-in-france/#:~:text=surfaced%20in%20late%20December%202019%20
  2. ^ https://www.cybereason.com/blog/threat-analysis-report-ragnar-locker-ransomware-targeting-the-energy-sector?hs_amp=true#:~:text=The%20first%20activity,Independent%20States%20CIS:
  3. ^ https://www.bitdefender.com/en-us/blog/hotforsecurity/portuguese-energy-company-hit-with-ragnar-locker-ransomware-attackers-demand-10-million-to-decrypt-the-data
  4. ^ https://www.capcom.co.jp/ir/english/news/html/e210413.html
  5. ^ https://www.camparigroup.com/sites/default/files/downloads/20201106_Campari%20Group%20Press%20Release_ENG_Final.pdf
  6. ^ https://www.bitdefender.com/en-us/blog/hotforsecurity/campari-staggers-to-its-feet-following-15-million-ragnar-locker-ransomware-attack
  7. ^ https://therecord.media/rangar-locker-ransomware-arrest-paris#:~:text=Europol%20said%20Ragnar%20Locker%20is%20both%20the%20name%20of%20the%20ransomware%20strain%20and%20the%20criminal%20group%20that%20developed%20and%20operated%20the%20malware
  8. ^ https://news.sophos.com/en-us/2020/05/22/the-ransomware-that-attacks-you-from-inside-a-virtual-machine/?amp=1
  9. ^ https://news.sophos.com/en-us/2020/05/22/the-ransomware-that-attacks-you-from-inside-a-virtual-machine/?amp=1
  10. ^ https://www.cybereason.com/blog/threat-analysis-report-ragnar-locker-ransomware-targeting-the-energy-sector?hs_amp=true#:~:text=Following%20the%20machine%20encryption%2C%20Ragnar%20Locker%20creates%20a%20notepad.exe%20process%20that%20presents%20the%20ransom%20note%20to%20the%20user%E2%80%99s%20screen%20with%20the%20ransom%20and%20payment%20information
  11. ^ https://www.europol.europa.eu/media-press/newsroom/news/ragnar-locker-ransomware-gang-taken-down-international-police-swoop
  12. ^ https://www.europol.europa.eu/media-press/newsroom/news/ragnar-locker-ransomware-gang-taken-down-international-police-swoop
  13. ^ https://www.europol.europa.eu/media-press/newsroom/news/ragnar-locker-ransomware-gang-taken-down-international-police-swoop
Retrieved from "https://en.wikipedia.org/w/index.php?title=RagnarLocker&oldid=1298827181"