Tuesday 7th September 2021

BLOG: Ragnar Locker New Tactic

Ragnar Locker operatives this week have cautioned victims against soliciting the help of recovery companies and have issued a notice on their darknet website that if victims contact law enforcement, there will be severe penalties and their sensitive data will be published. Alongside this, they warned against the hiring of “professional negotiators” as that is a sign of “hostile intent. Ragnar Locker did not determine how they would know if a target company has privately contacted any form of law enforcement agency or professional negotiation firm.


Ransomware gangs typically do not like when victims attract interest in their gang by contacting the police or any law enforcement groups. Their aim is of course to speak with the victim and the victim only to get their hands on the cash. Earlier this year we published a blog discussing whether organisations should pay ransoms instead of contacting local authorities, but if an organisation is targeted by Ragnar Locker or any ransomware gang who threatens to leak your data as a result of seeking help from law enforcement, does this change the overall consensus?


Ragnar Locker is quite a complex and sophisticated C++ based ransomware tool, its properties allow it to steal information and was created by an unnamed Russian-speaking threat actor. Ragnar Locker ransomware affects devices operating Microsoft Windows operating systems. It was first observed in December 2019, as part of a series of attacks against compromised networks and it has targeted large or high-value energy, telecommunications, entertainment, and government organisations worldwide.


Before starting the Ragnar Locker ransomware, attackers insert a component to collect sensitive data from infected machines and upload it to their servers. Ragnar Locker utilises one of the most popular “double extortion” tactics, the threat actors first exfiltrate sensitive data, then triggers the encryption attack, threatening to leak the compromised data if the target refuses to pay the ransom. As with most human-operated ransomware, Ragnar Locker is delivered as the final ‘part’ in a much lengthier cyber-attack sequence following a period of target profiling, network exploration, and finally data extraction. Ragnar Locker’s operatives habitually gain access to target networks via RDP brute-force and credential reuse attacks. If successful, they will attempt to gain administration-level access.


Ragnar Locker has targeted some big names since it began its cybercriminal campaign in early 2020. Renowned victims include corporate travel firm CWT, Italian liquor vendor Campari, Japanese game publisher Capcom and aerospace firm Dassault Falcon Jet. The group is estimated to have taken in at least tens of millions of dollars in ransom money in the past year and a half. Corporate travel firm CWT confirmed that it made a $4.5 million payment to get its systems unlocked and Campari potentially having paid as much as $15 million to the group. Capcom was asked for $11 million and refused to pay, subsequently suffering leaks of data that appeared to include passports scans of Japanese employees and digital signatures.

Get our latest cyber intelligence insights straight into your inbox

Fill out the short form below to subscribe to our newsletter so that you never miss out on our cyber intelligence insights and news.