RagnarLocker

RagnarLocker (sometimes written "Ragnar Locker") is a ransomware hacker group which uses virtual machine escape techniques to encrypt victim's system files. It first surfaced in December 2019.^[1]

RagnarLocker

Abbreviation	Ragnar Locker
Formation	December 2019
Type	Hacking
Purpose	Extortion

History

First appearing at the end of 2019, (likely originating from Eastern Europe considering that it does not attack computers in former USSR countries,)^[2] it carried out its first major attack on the Portuguese electric company Energias de Portugal,^[3] where it demanded a ransom of 10.9 million dollars and threatened to leak 10 terabytes of data.

During 2022, it also attacked video game company Capcom, and the beverage company Campari.^[4][5][6]

Function

Ragnar Locker operates by using an eponymously named malware called RagnarLocker.^[7] First, the dropper (usually delivered through a vulnerability in Remote Desktop Protocol) checks the operating system. If it's set to a language used in the former Soviet Union, it stops. Otherwise, it starts by sending a copy of system files to its central server and then downloads a package containing a version of VirtualBox configured to display the host computer and an image of Windows XP that contains the malware, which itself is only about 49 kB in size.^[8]

The dropper, after disabling security-related services or services that could keep logs active (like DBMS software), launches the virtual machine and the ransomware via a batch script. The ransomware begins encrypting files on the host computer without raising suspicion, since the commands appear to come from VirtualBox rather than the ransomware itself.^[8]

At the end of the process, a personalized ransom note is left behind on the victim's computer.^[9]

Arrests

Between the days of October 16 and 20, 2023, Europol and Eurojust conducted a series of seizures and arrests in Czechia, Spain and Latvia in response to RagnarLockers criminal activity.^[10] On October 20, an alleged main suspect and developer, had been brought in front of examining magistrates of the Paris Judicial Court.^[10]

The ransomware's infrastructure was also seized in the Netherlands, Germany and Sweden and the associated data leak website on Tor was taken down in Sweden.^[10]