THREAT ANALYSIS REPORT: Ragnar Locker Ransomware Targeting the Energy Sector

The Cybereason Global Security Operations Center (GSOC) Team issues Threat Analysis Reports to inform on impacting threats. The Threat Analysis Reports investigate these threats and provide practical recommendations for protecting against them.

In this Threat Analysis Report, the Cybereason GSOC investigates the Ragnar Locker malware family, a ransomware and a ransomware operator which has recently claimed to have breached DESFA, a Greek pipeline company. 

This report provides context over this recent breach as well as an overview of the Ragnar Locker ransomware through a dynamic analysis and a reverse engineering analysis. 

Key Findings

• Breach of a Pipeline Company : DESFA is a strategic energy-related company that has been claimed by Ragnar Locker as their victim.
• Security Evasion Capabilities : Ragnar Locker checks if specific products are installed, especially security products (antivirus), virtual-based software, backup solutions and IT remote management solutions.
• Ransomware Actors Targeting the Energy Sector : This is the second important pipeline company that has been hit by ransomware, along with Colonial Pipeline. Furthermore, four energy companies have been hit recently by ransomware, including three in Europe.
• Active for Three Years : Ragnar Locker is both a ransomware group and the name of the software in use. They have been running since 2019 and targeting critical industries. They use the double extortion scheme.
• Excluding the Commonwealth of Independent States : Ragnar Locker avoids being executed from countries since the group is located in the Commonwealth of Independent States (CIS). 

The Cybereason Defense Platform can effectively detect and prevent Ragnar Locker ransomware:

Cybereason Defense Platform Detects and Blocks Ragnar Locker Ransomware

Introduction

The Cybereason GSOC is investigating the Ragnar Locker ransomware following a recent breach that was reported by Ragnar Locker, on a Greek pipeline company named DESFA:

Ragnar TOR page claiming they breached DESFA

This is not the first occurrence of ransomware attacks on pipeline companies: Colonial Pipeline was breached in March 2021, and this event still haunts industrial companies due to the impact it had on production. 

Additionally, this is one of the four energy providers that were hit by ransomware recently, including other ones in Europe: 

• Hive ransomware posted ENN Group from China on their portal. ENN Group is an energy and natural gas producer
• BlackCat ransomware hit Creos / Encevo, an energy company from Luxembourg 
• South Staffordshire PLC announced being hit on the 15/08/2022, claimed by the CL0P ransomware gang

Finally, Greece has an extremely strategic place for energy since gas from other places (Israel, for instance) flows to Europe.

Ragnar Locker is ransomware that has been in use since at least December 2019, and is generally aimed at English-speaking users. The Ragnar Locker ransomware has been on the FBI’s radar since the gang breached more than fifty organizations across ten critical infrastructure sectors. 

Ragnar Locker matches both the name of the ransomware group and the name of the ransomware binary. In this Threat Analysis Report, we detail the mechanisms driving Ragnar Locker through dynamic and static analysis of two samples. 

Technical Analysis

The corresponding samples of Ragnar Locker that we analyzed differentiate themselves from the other ransomwares by their size (from 53KB to 100KB):

Ragnar Locker Execution Flow

In the following sections, we first analyze Ragnar Locker dynamically through the Cybereason Defense Platform. Next, we analyze Ragnar Locker more deeply, through static analysis.

Analysis with the Cybereason Defense Platform

In this section, we analyzed the sample used in the attack through our Cybereason Defense Platform.

Ransomware Detonation

We start this analysis by detonating one sample into a constrained laboratory live environment equipped with a Cybereason sensor:

Cybereason Defense Platform process tree view

As a result of the execution, we can observe a MalOp is created with the Ransomware detection type: 

MalOp created following the launch of Ragnar Locker

Further analysis of the behaviors associated with this detonation, we observe the launch of three additional processes, chronologically: 

Chronologically ordered (more recent at the top) processes resulting from Ragnar Locker execution

Ragnar Locker spawns the following children process:

• wmic.exe shadowcopy delete: This system command deletes all shadow copies on the victim’s system, preventing data recovery by the victim
• vssadmin delete shadows /all /quiet: This system command also deletes shadow copies, preventing data recovery by the victim
• notepad.exe [User path]\RGNR_AABBCCDD.txt : This command launches Notepad.exe to show the ransom note to the victim

MITRE ATT&CK lists both shadow copy deletion techniques: 

• https://attack.mitre.org/techniques/T1490/

Looking at the “Ragnar Locker.exe” process, we observe that it contains 1081 file events, related to the encrypted files, and their new path, for instance: 

c:\users\localadmin\appdata\local\packages\microsoft.windows.cortana_cw5n1h2txyewy\localstate\devicesearchcache\appcache133057346751796032.txt.ragnar_aabbddcc

New path after rename event

“Ragnar Locker.exe” process properties, as seen in the Cybereason Defense Platform

Additional Sysmon telemetry was set up on the machine, resulting in observing the modification of strategic directories, due to the ransom note creation: 

Extract from Sysmon event logs

We did not observe any network connection following the ransomware execution, nor registry value manipulation.

Ransomware Note 

A few seconds following the ransomware execution , as seen from the process tree, Ragnar Locker drops a ransomware note configured with the name of the victim, named “RGNR_AABBCCDD.txt”, and opens a Notepad with this file: 

Ransomware Note as seen by the victim

Ragnar Locker Sample Reverse Engineering 

In this section, we analyzed the sample used in the attack, this time through static analysis and advanced dynamic analysis, allowing us to dig deeper into this binary’s goal and mechanisms.

Checking System Location

The first activity Ragnar Locker perform is to check if the infected machine’s locale matches with one of the following countries:

• Azerbaijan
• Armenia
• Belarus
• Kazakhstan
• Kyrgyzstan
• Moldova
• Tajikistan
• Russia
• Turkmenistan
• Uzbekistan
• Ukraine
• Georgia

If this matches, Ragnar Locker does not execute and the process is terminated. This list matches with the countries found in the Commonwealth of Independent States CIS:

Ragnar Locker check countries locale value through GetLocaleInfoW

Collecting Host Information 

Next, the ransomware extracts information about the infected machine. First, it collects the computer name and the user name using the API calls GetComputerNameW and GetUserNameW. 

Then, the ransomware queries the registry to collect the machine GUID and Windows version:

Collecting info on the host

This collected information is concatenated and goes through a custom hashing function, in order to conceal the data:

Ragnar Locker custom hashing algorithm

Ragnar Locker then creates a new event using the CreateEventW API call, and uses the combined hashes as the name of the event:

Creating event with combined hashes (static view)

When running the sample through a debugger, the combined hashes look as following:

Creating event with combined hashes (dynamic view)

File Volumes Identification

Next, Ragnar Locker attempts to identify the existing file volumes on the host. It uses the Windows APICreateFileW to:

• Get a handle to a physical drive
• Query the drive using DeviceIoControl
• Iterate through the volumes using FindFirstVolumeA and FindNextVolumeA

Iterating through machine volumes

Embedded RC4 Content

Ragnar Locker contains hidden content embedded in the binary sections. Ragnar Locker decrypts this content during runtime using the RC4 cryptographic algorithm:

Custom RC4 algorithm

The custom RC4 algorithm function is executed several times and decrypts a list of services names: 

• vss, sql, memtas, mepocs, sophos, veeam, backup, pulseway, logme, logmein, connectwise, splashtop, kaseya, vmcompute, Hyper-v, vmms, Dfs.

Decrypted RC4 services names

Then, Ragnar Locker iterates through the running services of the infected machines. If one of the decrypted services is found, Ragnar Locker terminates it:

Enumerating the machine’s services

Checking if the targeted service exist

Ragnar Locker then decrypts an embedded RSA public key:

Decrypted RSA public key

After decrypting the public key, Ragnar Locker passes the key to another function that prepares the key for further use:

Preparing the key for encryption

Lastly, Ragnar Locker decrypts the ransom note’s content:

Decrypted ransom note through the RC4 routine

Deleting Shadow Copies

In order to delete the machine’s shadow copies, Ragnar Locker executes the processes vssadmin.exe and Wmic.exe with the following command lines:

• Vssadmin delete shadows /all /quiet
• Wmic.exe shadowcopy delete

Deleting shadow copies using Wmic and Vssadmin

Creating the Ransom Note

Ragnar Locker generates the ransom note file name through the following algorithm:

• It gets the computer name using the API call GetComputerNameW
• It hashes the computer name using the custom hashing algorithm mentioned above
• It concatenates the strings “\\“, “RGNGR_”, “.txt” with the hashed computer name
• It completes the full name by concatenating the path “C:\Users\Public\Documents”, resulting in “C:\Users\Public\Documents\RNGR_[hash].txt”

Preparing the txt file that holds the ransom note

Eventually, Ragnar Locker calls CreateFileW to create the requested text file with the required path. Ragnar Locker then writes a decrypted ransom note at this path.

In addition, after writing the note, Ragnar Locker writes another smaller part starting with “---RAGNAR SECRET—-”. This part is the output of the API call CryptBinaryToStringA:

Creating the txt file that holds the ransom note

Ragnar secret example output

Encrypting the Files

After creating the ransom note, the actual file encryption process ignites. First, Ragnar Locker gets the drives (except DRIVE_CDROM) and directories, and sends the string of the file to be encrypted to an encryption function.

The encryption function first checks for some files to be excluded from the encryption process, those files are:

• Autoruns.inf, boot.ini, bootfront.bin, bootsect.bak, bootmgr, bootmgr.efi, bootmgfw.efi, desktop.ini, iconcache.db, ntldr, ntuser.dat, ntuser.dat.log, ntuser.ini, thumbs.db

List of excluded files

In addition, other specific processes and objects are excluded, such as: 

• Windows.old, Tor Browser, Internet Explorer, Google, Opera, Opera Software, Mozilla, Mozilla Firefox, $Recycle.bin, ProgramData, All Users

Files and processes to exclude

Lastly, the last checks of Ragnar Locker excludes files with the following extension: 

• .db, .sys, .dll, lnk, .msi, .drv, .exe

File extensions to exclude

Once the file meets the criteria, the file name is sent to a function that encrypts the corresponding file using the Salsa20 algorithm. After each encryption, Ragnar Locker appends the suffix “.ragnar_[hashed computer name]” to the affected file:

Files manipulated by encryption

Displaying the Ransom Note

Following the machine encryption, Ragnar Locker creates a notepad.exe process that presents the ransom note to the user’s screen with the ransom and payment information.

Ragnar Locker spawns this process through the following way:

• Getting a handle to the current process token
• Duplicate the token
• Setting the token to elevate privileges 
• Use CreateProcessAsUserW with the elevated token

Creating notepad process to display ransom note

Displayed ransom note

Detection and Prevention

Cybereason Defense Platform

The Cybereason Defense Platform is able to detect and prevent infections with Ragnar Locker ransomware, using multi-layer protection that detects and blocks malware with threat intelligence, machine learning, anti-ransomware and Next-Gen Antivirus (NGAV) capabilities:

The Cybereason Defense Platform creates a MalOp and labels it as Ransomware behavior

The Cybereason Defense Platform suspends Ragnar Locker when Anti-Ransomware feature is set to “Suspend” as seen from the Cybereason Defense Platform 

Cybereason GSOC MDR

The Cybereason GSOC recommends the following:

• Enable Anti-Ransomware in your environment’s policies, set the Anti-Ransomware mode to Prevent, and enable Shadow Copy detection to ensure maximum protection against ransomware.
• In the Cybereason Defense Platform, enable Application Control to block the execution of malicious files.
• To hunt proactively, use the Investigation screen in the Cybereason Defense Platform and the queries in the Hunting Queries section to search for machines that are potentially infected with Ragnar Locker. Based on the search results, take further remediation actions, such as isolating the infected machines and deleting the payload file.

Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere. Schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

MITRE ATT&CK Mapping

IOCs

About the Researchers

Eli Salem, Principal Security Analyst, Cybereason Global SOC

Eli is a lead threat hunter and malware reverse engineer at Cybereason. He has worked in the private sector of the cyber security industry since 2017. In his free time, he publishes articles about malware research and threat hunting. 

Loïc Castel, Principal Security Analyst, Cybereason Global SOC

Loïc is a Principal Security Analyst with the Cybereason Global SOC team. Loïc analyses and researches critical incidents and cybercriminals, in order to better detect compromises. In his career, Loïc worked as a security auditor in well-known organizations such as ANSSI (French National Agency for the Security of Information Systems) and as Lead Digital Forensics & Incident Response at Atos. Loïc loves digital forensics and incident response, but is also interested in offensive aspects such as vulnerability research.