Top Qs
Timeline
Chat
Perspective

RagnarLocker

Criminal hacking organization From Wikipedia, the free encyclopedia

Remove ads

RagnarLocker (sometimes written "Ragnar Locker") is a ransomware hacker group which uses virtual machine escape techniques to encrypt victim's system files. It first surfaced in December 2019.[1]

Quick Facts Abbreviation, Formation ...

History

First appearing at the end of 2019, (likely originating from Eastern Europe considering that it does not attack computers in former USSR countries,)[2] it carried out its first major attack on the Portuguese electric company Energias de Portugal,[3] where it demanded a ransom of 10.9 million dollars and threatened to leak 10 terabytes of data.

During 2022, it also attacked video game company Capcom, and the beverage company Campari.[4][5][6]

Remove ads

Function

Ragnar Locker operates by using an eponymously named malware called RagnarLocker.[7] First, the dropper (usually delivered through a vulnerability in Remote Desktop Protocol) checks the operating system. If it's set to a language used in the former Soviet Union, it stops. Otherwise, it starts by sending a copy of system files to its central server and then downloads a package containing a version of VirtualBox configured to display the host computer and an image of Windows XP that contains the malware, which itself is only about 49 kB in size.[8]

The dropper, after disabling security-related services or services that could keep logs active (like DBMS software), launches the virtual machine and the ransomware via a batch script. The ransomware begins encrypting files on the host computer without raising suspicion, since the commands appear to come from VirtualBox rather than the ransomware itself.[8]

At the end of the process, a personalized ransom note is left behind on the victim's computer.[9]

Remove ads

Arrests

Between the days of October 16 and 20, 2023, Europol and Eurojust conducted a series of seizures and arrests in Czechia, Spain and Latvia in response to RagnarLockers criminal activity.[10] On October 20, an alleged main suspect and developer, had been brought in front of examining magistrates of the Paris Judicial Court.[10]

The ransomware's infrastructure was also seized in the Netherlands, Germany and Sweden and the associated data leak website on Tor was taken down in Sweden.[10]

References

Loading related searches...

Wikiwand - on

Seamless Wikipedia browsing. On steroids.

Remove ads