Ragnor locks your files

Ragnar ransomware affects devices running Microsoft Windows operating systems. It was initially observed in November of 2019 as part of a series of attacks against compromised networks.The cyber criminals behind Ragnar claimed to have stolen 10 TB of data from Energias de Portugal (EDP), demanding a payment of $11 million.

Technical details

The ransomware doesn’t execute its payload on windows machines with the following languages: Azerbaijani, Belorussian, Georgian, Kyrgyz, Kazakh, Russian, Ukrainian, Moldavian, Turkmen, Uzbek and Tajik.

It collects GUID, OS (product) name, Logged in user name and machine name information from infected systems.

It is used to create event to avoid duplicate process of itself running in the same machine. It stops the following services in the machine,

  • Sophos (Sophos Antivirus)
  • Veeam (Veeam Backup)
  • Backup (Asus WebStorage)
  • Pulseway (Pulseway remote control)
  • Logme (Logme remote control software)
  • Logmein (Logmein remote control software)
  • ConnectWise (ConnectWise remote control software
  • Splashtop (Splashtop remote control software)

It also stops the services on which the above listed services are dependent on. After stopping the services the malware terminates the following processes,

The malware deletes the shadow copy using wmic (Windows Management Instrumentation Command) tool. Shadow Copy is a technology included in Microsoft Windows that can create backup copies or snapshots of computer files or volumes, even when they are in use.

It enumerates the files and directories in the logical drives of the machine.

It skips enumerating files in the directories with following names,

It also skips encrypting the files with following filenames and extensions,

It also skips the files with the string _RAGNAR_ at the end of it.

Ransomware decodes the base64 encoded PEM key, utilized to protect the crypto keys used in the encryption(locking) of files. With this key it encrypts 2 keys generated with system specific information.

It uses Salsa20 algorithm to encrypt(lock) the contents of the files.

The encrypted file contents are saved in files with extension .ragnar_<8 digit custom hash of system name>

It decrypts the ransom notes and show them by executing notepad.

Arctos Networks detects the malware as Ransomware/Ragnar.

If you find traces of this malware in your IT infrastructure, you can contact our technical response team to remove the threats for your network.