Ragnar Locker Ransomware: The Complete Guide

Ragnar Locker is a family of ransomware that has been in action since at least December 2019. It is known for targeting large organizations and attempting to extort large amounts of cryptocurrency from its victims. Some key features of Ragnar Locker ransomware include:

The Ragnar Locker group is known to employ a double extortion tactic, where the ransom payment is not only for recovering affected files but also to prevent releasing that stolen information to the public.

While some ransomware operators impose voluntary rules against targeting government, military organizations, healthcare providers (hospitals), and critical infrastructures such as power plants and pipeline operators, the Ragnar Locker threat actor has no such aversion. Ragnar Locker ransomware has been used to attack a variety of organizations, including energy companies, airlines, and luxury fashion brands.

SalvageData experts recommend proactive data security measures, such as regular backups, strong cybersecurity practices, and keeping software up to date, to protect against ransomware attacks. And, in case of a ransomware attack, contact our ransomware recovery experts immediately.

What kind of malware is RagnarLocker?

Ragnar Locker is a type of ransomware that affects devices running Microsoft Windows operating systems. It is designed to encrypt data and demand a ransom payment from the victim to recover their files.

The Ragnar Locker group is known to employ a double extortion tactic, where the ransom payment is not only for recovering affected files but also to prevent releasing that stolen information to the public.

Ragnar Locker typically exploits exposed services like Remote Desktop Protocol (RDP) to gain access to the system. The attackers may also use weak passwords or stolen credentials to gain access to the system. The malware also uses advanced defense-evasion techniques to bypass anti-virus software.

Everything we know about Ragnar Locker Ransomware

Confirmed Name

• Ragnar Locker virus

Threat Type

• Ransomware
• Crypto Virus
• Files locker
• Double extortion

Encrypted Files Extension

• File extension varies on infected machines

Ransom Demanding Message

• The ransom note file name depends on the extension

Detection Names

• Avast Win32:RansomX-gen [Ransom]
• Emsisoft Generic.Ransom.Ragnar.91E669A1 (B)
• Kaspersky Trojan-Ransom.Win32.RagnarLocker.a
• Sophos Troj/Lothlock-A
• Microsoft Ransom:Win32/RagnarLocker.BM!MSR

Distribution methods

• Malvertising
• Online scams
• Drive-by downloads

Consequences

• Double extortion tactic: This is where the attacker first exfiltrates sensitive data, then triggers the encryption attack, threatening to leak the stolen data if the target refuses to pay the ransom
• Encryption algorithm: Ragnar Locker uses the Salsa20 encryption algorithm with a custom matrix, which is filled in with generated keys placed in a rearranged order
• Randomized file extensions: Ragnar Locker randomizes file extensions per user by retrieving the computer name value and passing it to the next piece of code

Is There a Free Decryptor Available?

No. There is no known public decryptor for Ragnar Locker ransomware available at this time.

What are Ragnar Locker ransomware’s IOCs?

Indicators of Compromise (IOCs) are artifacts observed on a network or in an operating system that indicate a computer intrusion with high confidence. IOCs can be used for early detection of future attack attempts using intrusion detection systems and antivirus software.

To determine if your computer system or network has been infected by Ragnar Locker ransomware, you can look for the following signs:

• Encrypted files. Check if your files have been encrypted and are inaccessible. Ragnar Locker ransomware encrypts files and adds specific file extensions to them, making them unusable without the decryption key.
• Ransom note. Look for a ransom note left by the attackers. Ragnar Locker typically leaves a note explaining the situation and providing instructions on how to pay the ransom.
• Unusual system behavior. Pay attention to any unusual behavior of your computer, such as slow performance, frequent crashes, or unexpected pop-up messages.
• Suspicious network activity. Ragnar Locker often exploits exposed services like Remote Desktop Protocol (RDP) to gain access to the system. Monitor your network for any suspicious activity related to RDP or other unusual network connections.

Ragnar Locker ransom note

The ransom note associated with Ragnar Locker ransomware typically appears on the victim’s screen after the encryption process. The note may include the name of the targeted organization and it states that all files have been encrypted and can only be decrypted using specific tools or keys.

This is an example of the Ragnar Locker ransom note:

If you realize you’re a ransomware victim, contacting SalvageData ransomware removal experts provides you with a secure data recovery service and ransomware removal after an attack.

How does Ragnar Locker ransomware spread

Ragnar Locker ransomware exploits various vulnerabilities to infect systems, including:

• Exposed services: Ragnar Locker typically exploits exposed services like Remote Desktop Protocol (RDP) to gain access to the system.
• Weak passwords: The attackers may use brute force to guess weak passwords or use stolen credentials to gain access to the system.
• Defense-evasion techniques: Ragnar Locker uses advanced defense-evasion techniques to bypass anti-virus software.

How does Ragnar Locker ransomware work?

Ragnar Locker ransomware uses advanced defense-evasion techniques to bypass anti-virus software.

Ragnar Locker ransomware works by following a specific process that allows it to encrypt files and demand a ransom payment from the victim to recover their files.

Here is an overview of how Ragnar Locker ransomware works:

Exploiting exposed services

Ragnar Locker typically exploits exposed services like Remote Desktop Protocol (RDP) to gain access to the system.

Gaining access to the system

Once the attackers gain access to the system, they attempt to gain greater privileges and move laterally throughout the network.

Stealing sensitive files

The attackers exfiltrate sensitive data from the targeted system.

Triggering the encryption attack

After stealing the sensitive files, the attackers initiate the encryption process, encrypting the victim’s files and rendering them inaccessible.

Displaying the ransom note

The attackers display a ransom note on the victim’s screen, explaining the situation and providing instructions on how to pay the ransom.

Threatening to leak the stolen data

In the double extortion tactic, the attackers threaten to release the stolen data to the public if the victim refuses to pay the ransom.

Do not pay the ransom! Victims of Ragnar Locker ransomware attacks are advised to report the incident to law enforcement and seek the assistance of a reputable cybersecurity professional.

How to handle a Ragnar Locker ransomware attack

Important: The first step after identifying Ragnar Locker IOCs is to resort to your Incident Response Plan (IRP). Ideally, you have an Incident Response Retainer (IRR) with a trusted team of professionals that can be contacted 24/7/365, and they can take immediate action that will prevent data loss, reduce or eliminate the ransom payment, and help you through any legal liabilities.

To the best of our knowledge with the information we have at the time this article is published, the first step that a team of ransomware recovery experts would take is to isolate the infected computer by disconnecting it from the internet and removing any connected device.

Simultaneously this team will assist you in contacting your country’s local authorities. For US residents and businesses, it is the local FBI field office and the Internet Crime Complaint Centre (IC3). To report a ransomware attack you must gather every information you can about it, including:

• Screenshots of the ransom note
• Communications with the ransomware actors (if you have them)
• A sample of an encrypted file

However, if you don’t have an IRP or IRR, you can still contact ransomware removal and recovery professionals. This is the best course of action and greatly increases the chances of successfully removing the ransomware, restoring the data, and preventing future attacks. We recommend that you leave every infected machine as they are and call an emergency ransomware recovery service.

Restarting or shutting down the system may compromise the recovery process. Capturing the RAM of a live system may help get the encryption key, and catching a dropper file might be reverse-engineered and lead to the decryption of the data or understanding of how it operates.

What NOT to do to recover from a Ragnar Locker ransomware attack

You must not delete the ransomware, and keep every evidence of the attack. That’s important for digital forensics so experts can trace back to the hacker group and identify them. It is by using the data on your infected system that authorities can investigate the attack and find the responsible. A cyber attack investigation is not different from any other criminal investigation: it needs evidence to find the attackers.

1. Contacting your Incident Response Provider

A Cyber Incident Response is the process of responding to and managing a cybersecurity incident. An Incident Response Retainer is a service agreement with a cybersecurity provider that allows organizations to get external help with cybersecurity incidents. It provides organizations with a structured form of expertise and support through a security partner, enabling them to respond quickly and effectively during a cyber incident.

An incident response retainer offers peace of mind to organizations, offering expert support before and in the aftermath of a cybersecurity incident. An incident response retainer’s specific nature and structure will vary according to the provider and the organization’s requirements. A good incident response retainer should be robust but flexible, providing proven services to enhance an organization’s long-term security posture.

If you contact your IR service provider, they will care for everything else. However, if you decide to remove the ransomware and recover the files with your IT team, then you can follow the next steps.

2. Identify the ransomware infection

You can identify which ransomware infected your machine by the file extension (some ransomware uses the file extension as their name), or it will be on the ransom note. With this information, you can look for a public decryption key.

You can also check the ransomware type by its IOCs. Indicators of Compromise (IOCs) are digital clues that cybersecurity professionals use to identify system compromises and malicious activities within a network or IT environment. They are essentially digital versions of evidence left at a crime scene, and potential IOCs include unusual network traffic, privileged user logins from foreign countries, strange DNS requests, system file changes, and more. When an IOC is detected, security teams evaluate possible threats or validate its authenticity. IOCs also provide evidence of what an attacker had access to if they did infiltrate the network.

3. Remove the ransomware and eliminate exploit kits

Before recovering your data, you must guarantee that your device is ransomware-free and that the attackers can’t make a new attack through exploit kits or other vulnerabilities. A ransomware removal service can delete the ransomware, create a forensics document for investigation, eliminate vulnerabilities, and recover your data.

Use anti-malware/anti-ransomware software to quarantine and remove the malicious software.

Important: By contacting ransomware removal services you can ensure that your machine and network have no trace of the Ragnar Locker ransomware. Also, these services can patch your system, preventing new ransomware attacks.

4. Use a backup to restore the data

Backups are the most efficient way to recover data. Make sure to keep daily or weekly backups, depending on your data usage.

5. Contact a ransomware recovery service

If you don’t have a backup or need help removing the ransomware and eliminating vulnerabilities, contact a data recovery service. Paying the ransom does not guarantee your data will be returned to you. The only guaranteed way you can restore every file is if you have a backup of it. If you don’t, ransomware data recovery services can help you decrypt and recover the files.

SalvageData experts can safely restore your files and prevent Ragnar Locker ransomware from attacking your network again.

Contact our experts 24/7 for emergency recovery service.

Prevent a ransomware attack

Preventing ransomware is the best solution for data security. is easier and cheaper than recovering from them. Ragnar Locker ransomware can cost your business’s future and even close its doors.

These are a few tips to ensure you can avoid ransomware attacks:

• Install antivirus and anti-malware software.
• Employ reliable cybersecurity solutions.
• Utilize strong and secure passwords.
• Keep software and operating systems up to date.
• Implement firewalls for added protection.
• Create a data recovery plan.
• Regularly schedule backups to safeguard your data.
• Exercise caution with email attachments and downloads from unknown or suspicious sources.
• Verify the safety of ads before clicking on them.
• Access websites only from trusted sources.