S0481 Ragnar Locker
Ragnar Locker is a ransomware that has been in use since at least December 2019.12
| Item | Value |
|---|---|
| ID | S0481 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 29 June 2020 |
| Last Modified | 13 April 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Ragnar Locker has used cmd.exe and batch scripts to execute commands.1 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | Ragnar Locker has used sc.exe to create a new service for the VirtualBox driver.1 |
| enterprise | T1486 | Data Encrypted for Impact | Ragnar Locker encrypts files on the local machine and mapped drives prior to displaying a note demanding a ransom.12 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.006 | Run Virtual Instance | Ragnar Locker has used VirtualBox and a stripped Windows XP virtual machine to run itself. The use of a shared folder specified in the configuration enables Ragnar Locker to encrypt files on the host operating system, including files on any mapped drives.1 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | Ragnar Locker has attempted to terminate/stop processes and services associated with endpoint security products.1 |
| enterprise | T1490 | Inhibit System Recovery | Ragnar Locker can delete volume shadow copies using vssadmin delete shadows /all /quiet.1 |
| enterprise | T1120 | Peripheral Device Discovery | Ragnar Locker may attempt to connect to removable drives and mapped network drives.1 |
| enterprise | T1489 | Service Stop | Ragnar Locker has attempted to stop services associated with business applications and databases to release the lock on files used by these applications so they may be encrypted.1 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.007 | Msiexec | Ragnar Locker has been delivered as an unsigned MSI package that was executed with msiexec.exe.1 |
| enterprise | T1218.010 | Regsvr32 | Ragnar Locker has used regsvr32.exe to execute components of VirtualBox.1 |
| enterprise | T1218.011 | Rundll32 | Ragnar Locker has used rundll32.exe to execute components of VirtualBox.1 |
| enterprise | T1614 | System Location Discovery | Before executing malicious code, Ragnar Locker checks the Windows API GetLocaleInfoW and doesn’t encrypt files if it finds a former Soviet country.3 |
| enterprise | T1569 | System Services | - |
| enterprise | T1569.002 | Service Execution | Ragnar Locker has used sc.exe to execute a service that it creates.1 |
References
-
SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Gold, B. (2020, April 27). Cynet Detection Report: Ragnar Locker Ransomware. Retrieved June 29, 2020. ↩↩
-
FBI. (2020, November 19). Indicators of Compromise Associated with Ragnar Locker Ransomware. Retrieved April 1, 2021. ↩