Skip to content

S0481 Ragnar Locker

Ragnar Locker is a ransomware that has been in use since at least December 2019.12

Item Value
ID S0481
Associated Names
Version 1.1
Created 29 June 2020
Last Modified 13 April 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Ragnar Locker has used cmd.exe and batch scripts to execute commands.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Ragnar Locker has used sc.exe to create a new service for the VirtualBox driver.1
enterprise T1486 Data Encrypted for Impact Ragnar Locker encrypts files on the local machine and mapped drives prior to displaying a note demanding a ransom.12
enterprise T1564 Hide Artifacts -
enterprise T1564.006 Run Virtual Instance Ragnar Locker has used VirtualBox and a stripped Windows XP virtual machine to run itself. The use of a shared folder specified in the configuration enables Ragnar Locker to encrypt files on the host operating system, including files on any mapped drives.1
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Ragnar Locker has attempted to terminate/stop processes and services associated with endpoint security products.1
enterprise T1490 Inhibit System Recovery Ragnar Locker can delete volume shadow copies using vssadmin delete shadows /all /quiet.1
enterprise T1120 Peripheral Device Discovery Ragnar Locker may attempt to connect to removable drives and mapped network drives.1
enterprise T1489 Service Stop Ragnar Locker has attempted to stop services associated with business applications and databases to release the lock on files used by these applications so they may be encrypted.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.007 Msiexec Ragnar Locker has been delivered as an unsigned MSI package that was executed with msiexec.exe.1
enterprise T1218.010 Regsvr32 Ragnar Locker has used regsvr32.exe to execute components of VirtualBox.1
enterprise T1218.011 Rundll32 Ragnar Locker has used rundll32.exe to execute components of VirtualBox.1
enterprise T1614 System Location Discovery Before executing malicious code, Ragnar Locker checks the Windows API GetLocaleInfoW and doesn’t encrypt files if it finds a former Soviet country.3
enterprise T1569 System Services -
enterprise T1569.002 Service Execution Ragnar Locker has used sc.exe to execute a service that it creates.1