RagnarLocker

Ragnar Locker is a ransomware group active 2019-2023, dismantled by Europol. PE32 GUI x86 binary with RAGNAR SECRET string confirmed. CryptAcquireContextW+CryptEncrypt for file encryption. GetDriveTypeW+FindFirstFileW/FindNextFileW for drive and file enumeration. OpenProcessToken+DuplicateTokenEx for privilege escalation to SYSTEM. Targets corporate networks across 12+ countries.

Threat Profile
Type Ransomware
Programming LanguageC
C2 Protocol
First Seen2020
Targets Windows
Purpose / Capabilities
  • Enterprise encryption including VMware ESXi
No C2 servers have been identified for this family yet.

Research Reports (3)

Critical

RagnarLockerRansomware 041fd213 -- RAGNAR SECRET Confirmed CryptEncrypt File Encryption GetDriveTypeW Drive Enumeration OpenProcessToken DuplicateTokenEx Privilege Escalation | Kritik

RagnarLocker 041fd213 PE32 GUI x86 818KB entropy 7.97. RAGNAR SECRET string onay. CryptEncrypt dosya sifreleme. GetDriveTypeW drive enumeration. OpenProcessToken DuplicateTokenEx privilege escalation.

Read Report →
High

RagnarLocker -- alfons Developer, javaw.exe Java Taklidi PDB 58KB Ultra Küçük | Yüksek

RagnarLocker 58KB. C:\Users\alfons\Desktop\javaw.exe PDB. APPDATA alfons gelistirici parmak izi. CryptEncrypt.

Read Report →
Critical

RagnarLocker -- 817KB, .adobe PE Section Imzasi, CryptEncrypt CAPI | Kritik

RagnarLocker 817KB. .adobe PE section imzası. CryptEncrypt CAPI. Teknik VMware ESXi.

Read Report →