Delaware, USA – February 11, 2020 – At the end of December last year, another threat to corporate networks appeared – Ragnar Locker, and it seems that its authors are following all fashion trends of the end of the 2019 season. Adversaries operate for only a month and a half and it is not yet known which group is behind the distribution of this strain, but according to information published by the BleepingComputer, another player went hunting for high-profile targets and six-figure payouts. Before ransomware deployment, the group conducts reconnaissance and steals sensitive data of victims, as several notorious cybercriminal groups do to exert pressure on the victim if they decide to recover files on their own (at least adversaries write about this in ransom note). “When ready, the attackers build a highly targeted ransomware executable that contains a specific extension to use for encrypted files, an embedded RSA-2048 key, and a custom ransom note that includes the victim’s company name and ransom amount.” In each case, the ransom amount is calculated individually, in the analyzed samples, attackers demand from $200,000 to $600,000.
Ragnar Locker differs from other ransomware families in the list of Windows services, which it stops before encrypting files. It targets a range of processes related to “remote management software commonly used by managed service providers, such as the popular ConnectWise and Kaseya software.” Moreover, Huntress Labs discovered that in at least one case, adversaries used ConnectWise to deploy Ragnar Locker. To strengthen the security of your organization, you can use the Ransomware Hunter rule pack that is designed to spot any signs of such attacks at early stages to prevent file encryption: https://my.socprime.com/en/integrations/ransomware-hunter