RagnarLocker
| Abbreviation | Ragnar Locker |
|---|---|
| Formation | December 2019 |
| Type | Hacking |
| Purpose | Extortion |
RagnarLocker (sometimes written "Ragnar Locker") is a ransomware hacker group which uses virtual machine escape techniques to encrypt victim's system files. It first surfaced in December 2019.[1]
History
[edit]First appearing at the end of 2019, (likely originating from Eastern Europe considering that it does not attack computers in former USSR countries,)[2] it carried out its first major attack on the Portuguese electric company Energias de Portugal,[3] where it demanded a ransom of 10.9 million dollars and threatened to leak 10 terabytes of data.
During 2022, it also attacked video game company Capcom, and the beverage company Campari.[4][5][6]
Function
[edit]Ragnar Locker operates by using an eponymously named malware called RagnarLocker.[7] First, the dropper (usually delivered through a vulnerability in Remote Desktop Protocol) checks the operating system. If it's set to a language used in the former Soviet Union, it stops. Otherwise, it starts by sending a copy of system files to its central server and then downloads a package containing a version of VirtualBox configured to display the host computer and an image of Windows XP that contains the malware, which itself is only about 49 kB in size.[8]
The dropper, after disabling security-related services or services that could keep logs active (like DBMS software), launches the virtual machine and the ransomware via a batch script. The ransomware begins encrypting files on the host computer without raising suspicion, since the commands appear to come from VirtualBox rather than the ransomware itself.[8]
At the end of the process, a personalized ransom note is left behind on the victim's computer.[9]
Arrests
[edit]Between the days of October 16 and 20, 2023, Europol and Eurojust conducted a series of seizures and arrests in Czechia, Spain and Latvia in response to RagnarLockers criminal activity.[10] On October 20, an alleged main suspect and developer, had been brought in front of examining magistrates of the Paris Judicial Court.[10]
The ransomware's infrastructure was also seized in the Netherlands, Germany and Sweden and the associated data leak website on Tor was taken down in Sweden.[10]
References
[edit]- ^ "Ragnar Locker ransomware developer arrested in France". BleepingComputer.
- ^ "THREAT ANALYSIS REPORT: Ragnar Locker Ransomware Targeting the Energy Sector". cybereason.com.
- ^ TRUȚĂ, Filip. "Portuguese Energy Company Hit with Ragnar Locker Ransomware; Attackers Demand $10 Million to Decrypt the Data". Hot for Security.
- ^ "4th Update Regarding Data Security IncidentDue to Unauthorized Access: Investigation Results". www.capcom.co.jp (Press release).
- ^ "Malware attack: data security update" (PDF) (Press release). Campari Group.
- ^ CLULEY, Graham. "Campari staggers to its feet following $15 million Ragnar Locker ransomware attack". Hot for Security.
- ^ "Europol: 'Key target' in Ragnar Locker ransomware operation arrested in Paris". therecord.media.
- ^ a b "The ransomware that attacks you from inside a virtual machine". Sophos. May 22, 2020.
- ^ "THREAT ANALYSIS REPORT: Ragnar Locker Ransomware Targeting the Energy Sector". cybereason.com.
- ^ a b c "Ragnar Locker ransomware gang taken down by international police swoop". Europol (Press release).