Ragnar Locker is a ransomware that has been in use since at least December 2019.
|Enterprise||T1059||.003||Command and Scripting Interpreter: Windows Command Shell||
Ragnar Locker has used cmd.exe and batch scripts to execute commands.
|Enterprise||T1543||.003||Create or Modify System Process: Windows Service||
Ragnar Locker has used sc.exe to create a new service for the VirtualBox driver.
|Enterprise||T1486||Data Encrypted for Impact||
Ragnar Locker encrypts files on the local machine and mapped drives prior to displaying a note demanding a ransom.
|Enterprise||T1564||.006||Hide Artifacts: Run Virtual Instance||
Ragnar Locker has used VirtualBox and a stripped Windows XP virtual machine to run itself. The use of a shared folder specified in the configuration enables Ragnar Locker to encrypt files on the host operating system, including files on any mapped drives.
|Enterprise||T1562||.001||Impair Defenses: Disable or Modify Tools||
Ragnar Locker has attempted to terminate/stop processes and services associated with endpoint security products.
|Enterprise||T1490||Inhibit System Recovery||
Ragnar Locker can delete volume shadow copies using
|Enterprise||T1120||Peripheral Device Discovery||
Ragnar Locker may attempt to connect to removable drives and mapped network drives.
Ragnar Locker has attempted to stop services associated with business applications and databases to release the lock on files used by these applications so they may be encrypted.
|Enterprise||T1218||.007||System Binary Proxy Execution: Msiexec||
Ragnar Locker has been delivered as an unsigned MSI package that was executed with
|.010||System Binary Proxy Execution: Regsvr32||
Ragnar Locker has used regsvr32.exe to execute components of VirtualBox.
|.011||System Binary Proxy Execution: Rundll32||
Ragnar Locker has used rundll32.exe to execute components of VirtualBox.
|Enterprise||T1614||System Location Discovery||
Before executing malicious code, Ragnar Locker checks the Windows API
|Enterprise||T1569||.002||System Services: Service Execution||
Ragnar Locker has used sc.exe to execute a service that it creates.