article featured image


Ragnar Locker is a type of ransomware that isolates files and makes them unusable until the user pays to get them back. The threat actor uses the “double extortion” tactic, in which the attacker first steals important data, then starts the encryption attack, and if the target doesn’t pay the ransom, the attacker will leak the stolen data.

RagnarLocker is identified by the extension “.RGNR_,” where is a hash of the computer’s NETBIOS name.

The actors, identifying themselves as “RAGNAR_LOCKER,” leave a .txt ransom note, with instructions on how to pay the ransom and decrypt the data.

RagnarLocker uses VMProtect, UPX, and custom packing algorithms and deploys within an attacker’s custom Windows XP virtual machine on a target’s site. Ragnar Locker uses Windows API GetLocaleInfoW to identify the location of the infected machine.

If the victim location is identified as “Azerbaijani,” “Armenian,” “Belorussian,” “Kazakh,” “Kyrgyz,” “Moldavian,” “Tajik,” “Russian,” “Turkmen,” “Uzbek,” “Ukrainian,” or “Georgian,” the process terminates.


What Happened?

At least 52 businesses from various critical infrastructure sectors in the United States have been infected by the Ragnar Locker ransomware group, according to the Federal Bureau of Investigation (FBI) in the United States.

According to a joint TLP:WHITE flash warning issued on Monday in conjunction with the Cybersecurity and Infrastructure Security Agency, the FBI stated that

The FBI first became aware of RagnarLocker in April 2020 and subsequently produced a FLASH to disseminate known indicators of compromise (IOCs) at that time. This FLASH provides updated and additional IOCs to supplement that report. As of January 2022, the FBI has identified at least 52 entities across 10 critical infrastructure sectors affected by RagnarLocker ransomware, including entities in the critical manufacturing, energy, financial services, government, and information technology sectors. RagnarLocker ransomware actors work as part of a ransomware family1, frequently changing obfuscation techniques to avoid detection and prevention.


As BleepingComputer reports, the flash warning issued by the FBI focuses on giving enterprises the indicators of compromise (IOCs) that they may utilize to identify and prevent Ragnar Locker ransomware attacks from taking place.

Information about assault infrastructure, Bitcoin addresses used to collect ransom demands, and email addresses used by the gang’s managers are all examples of indicators of compromise (IOCs) related to Ragnar Locker activities.

It was not until April 2020 that the FBI became aware of Ragnar Locker’s existence; nevertheless, Ragnar Locker ransomware payloads were initially identified in assaults a few months earlier, in late December 2019.

Enterprise endpoints that have been hacked by Ragnar Locker operators are terminated by operators of remote management software (e.g., ConnectWise, Kaseya).

A variety of information that might be used to identify the threat actors responsible for this ransomware gang includes copies of the ransom notes, ransom demands, harmful activity timelines, payload samples, and other relevant information.

The FBI also said that paying Ragnar Locker ransoms is not recommended since victims have no assurance that doing so would halt the leakage of stolen data or the launch of additional assaults.

Instead, ransom payments will further push the ransomware gang to target even more victims, as well as encourage other cybercrime organizations to join in and start their own ransomware assaults as a result of the payments.

The government agency, on the other hand, acknowledged the harm that ransomware assaults can do to organizations, which may compel CEOs to pay ransoms in order to safeguard shareholders, customers, or workers.

The FBI also revealed mitigation methods to help prevent similar assaults from occurring, and they strongly encouraged victims to report such instances to their local FBI field office as soon as they were discovered.

How Can Heimdal Help?

In the fight against ransomware, Heimdal™ Security is offering its customers an outstanding integrated cybersecurity suite including the Ransomware Encryption Protection module, that is universally compatible with any antivirus solution, and is 100% signature-free, ensuring superior detection and remediation of any type of ransomware, whether fileless or file-based (including the most recent ones like LockFile).

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Author Profile

Dora Tudor

Cyber Security Enthusiast

linkedin icon

Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.

Leave a Reply

Your email address will not be published. Required fields are marked *