| Abbreviation | Ragnar Locker |
|---|---|
| Formation | December 2019 |
| Type | Hacking |
| Purpose | Extortion |
RagnarLocker (sometimes written "Ragnar Locker") is a ransomware hacker group which uses virtual machine escape techniques to encrypt victim's system files. It first surfaced in December 2019.1
History
First appearing at the end of 2019, (likely originating from Eastern Europe considering that it does not attack computers in former USSR countries,)2 it carried out its first major attack on the Portuguese electric company Energias de Portugal,3 where it demanded a ransom of 10.9 million dollars and threatened to leak 10 terabytes of data.
During 2022, it also attacked video game company Capcom, and the beverage company Campari.456
Function
Ragnar Locker operates by using an eponymously named malware called RagnarLocker.7 First, the dropper (usually delivered through a vulnerability in Remote Desktop Protocol) checks the operating system. If it's set to a language used in the former Soviet Union, it stops. Otherwise, it starts by sending a copy of system files to its central server and then downloads a package containing a version of VirtualBox configured to display the host computer and an image of Windows XP that contains the malware, which itself is only about 49 kB in size.8
The dropper, after disabling security-related services or services that could keep logs active (like DBMS software), launches the virtual machine and the ransomware via a batch script. The ransomware begins encrypting files on the host computer without raising suspicion, since the commands appear to come from VirtualBox rather than the ransomware itself.8
At the end of the process, a personalized ransom note is left behind on the victim's computer.9
Arrests
Between the days of October 16 and 20, 2023, Europol and Eurojust conducted a series of seizures and arrests in Czechia, Spain and Latvia in response to RagnarLockers criminal activity.10 On October 20, an alleged main suspect and developer, had been brought in front of examining magistrates of the Paris Judicial Court.10
The ransomware's infrastructure was also seized in the Netherlands, Germany and Sweden and the associated data leak website on Tor was taken down in Sweden.10
References
References
- "Ragnar Locker ransomware developer arrested in France". BleepingComputer.
- "THREAT ANALYSIS REPORT: Ragnar Locker Ransomware Targeting the Energy Sector". cybereason.com.
- TRUȚĂ, Filip. "Portuguese Energy Company Hit with Ragnar Locker Ransomware; Attackers Demand $10 Million to Decrypt the Data". Hot for Security.
- "4th Update Regarding Data Security IncidentDue to Unauthorized Access: Investigation Results". www.capcom.co.jp (Press release).
- "Malware attack: data security update" (PDF) (Press release). Campari Group.
- CLULEY, Graham. "Campari staggers to its feet following $15 million Ragnar Locker ransomware attack". Hot for Security.
- "Europol: 'Key target' in Ragnar Locker ransomware operation arrested in Paris". therecord.media.
- "The ransomware that attacks you from inside a virtual machine". Sophos. May 22, 2020.
- "THREAT ANALYSIS REPORT: Ragnar Locker Ransomware Targeting the Energy Sector". cybereason.com.
- "Ragnar Locker ransomware gang taken down by international police swoop". Europol (Press release).