Full Report
EXECUTIVE SUMMARY The RagnarLocker ransomware first appeared in the wild at the end of December 2019 as part of a... The post RagnarLocker Ransomware Threatens to Release Confidential Information appeared first on McAfee Blog.
Analysis Summary
# Tool/Technique: RagnarLocker Ransomware
## Overview
RagnarLocker is a ransomware family first observed in late December 2019. Its primary goal is to encrypt files on victim machines and demand a ransom for their decryption. A notable characteristic of RagnarLocker campaigns is the pre-deployment tactic of stealing confidential information from compromised networks and threatening to leak this data if the ransom is not paid.
## Technical Details
- Type: Malware family (Ransomware)
- Platform: Windows (Implied by API calls like `GetLocaleInfoW`, registry access to `HKLM\SOFTWARE\Microsoft\Cryptography`, and execution as an EXE)
- Capabilities: File encryption, data exfiltration threat.
- First Seen: End of December 2019
## MITRE ATT&CK Mapping
*Note: Specific ATT&CK mappings are derived from the described behaviors (anti-analysis/geo-fencing, reconnaissance actions via system info gathering) and the core function (impact).*
- **TA0001 - Initial Access** (Implied by network compromise prior to deployment)
- **TA0007 - Discovery**
- T1083 - File and Directory Discovery (Implied by the goal of file encryption)
- T1087 - Account Discovery
- T1087.001 - Local Account
- T1016 - System Network Configuration Discovery (Implied by accessing system information)
- **TA0011 - Command and Control** (Implied communication for ransom/exfiltration setup, though details are limited here)
- **TA0040 - Impact**
- T1486 - Data Encrypted for Impact
## Functionality
### Core Capabilities
- **Anti-Analysis/Geo-Fencing:** Checks the system locale using `GetLocaleInfoW`. If the language matches specific CIS countries (Georgian, Russian, Ukrainian, Moldavian, Belorussian, Azerbaijani, Turkmen, Kyrgyz, Kazakh, Uzbek, Tajik), the malware terminates itself (Error code 0x29A) to avoid infecting systems in those regions, though English language systems are permitted.
- **System Information Gathering:** Collects critical system data using Windows API calls:
- Computer Name (`GetComputerNameW`)
- Active Username (`GetUserNameW`)
- Machine GUID from `HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid`
- Operating System Name from `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName`
- **Unique Identifier Generation:** Gathers the collected data, concatenates it in a specific order (GUID, OS Name, Username, Machine Name, Full String), calculates a custom hash for each piece and the final combined string, and formats them using `wsprintfW` into a final hyphen-separated string.
- **Execution Check:** Checks the process command line arguments; terminates if it has more than one argument.
### Advanced Features
- **Double Extortion:** Threatens to publish exfiltrated confidential data if the ransom is not paid.
- **Information Harvesting:** Steals information *before* file encryption occurs.
- **Custom Packer:** Uses a custom packer to obfuscate the binary (unpacked size is approximately 48kb).
- **Programming Language:** C/C++.
## Indicators of Compromise
- File Hashes:
- SHA256: `7af61ce420051640c50b0e73e718dd8c55dddfcb58917a3bead9d3ece2f3e929`
- SHA1: `60747604d54a18c4e4dc1a2c209e77a793e64dde`
- File Names: `malware.exe` (Example name)
- Registry Keys:
- `HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid` (Read)
- `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName` (Read)
- Network Indicators: [None explicitly listed in the provided text block]
- Behavioral Indicators: Termination upon detecting CIS language settings; reading HWND/System GUIDs; forming a custom string based on system configuration for potential C2 communication or payload differentiation.
## Associated Threat Actors
- RagnarLocker operators (General association, specific named group not mentioned in this excerpt).
## Detection Methods
- Signature-based detection: Available via McAfee products (Antivirus, endpoint, gateway).
- Behavioral detection: Monitoring API calls related to locale checking (`GetLocaleInfoW`), system information retrieval, and memory allocation (`VirtualAlloc`) followed by immediate encryption routines.
- YARA rules: [Not provided in the text]
## Mitigation Strategies
- Use of supported security products (McAfee personal antivirus, endpoint, and gateway).
- Network filtering to prevent initial access achieved by operators.
- Continuous monitoring for precursor activities such as data staging/exfiltration before encryption events.
## Related Tools/Techniques
- Other ransomware families employing double extortion tactics.