Security News

Ragnar Locker Ransomware

By

Overview:

SonicWall Capture Labs Threat Research Team recently found a new sample and activity for Ragnar Locker Ransomware.

Cyberattacks using Ragnar Ransomware have impacted Biological E Ltd, Capcom, and Campari Group.
A description of the corporations that were hit last week and this week are below:

  • Biological E limited is a privately held biopharmaceutical company based in Hyderabad, Telangana, India.
  • Capcom Co., Ltd. is a Japanese video game developer and publisher.
  • Campari, is an Italian company active since 1860 in the branded beverage industry. It produces spirits, wines, and soft drinks.

Ragnar injects a module capable of collecting sensitive data from infected machines and uploads the data it finds to their servers. The ransomware notifies the victim of the files that will be released to the public if the ransom is not paid.

Ransomware document:

Further down the document:

Ragnar Key is at the bottom of the document:

Static Layer, Information:

Overview of sample, checking for any corruption within the PE file format.

Command-Line overview of sample:

Dynamic Information:

Shellcode Buffer:

Shellcode Entry:

Some Shellcode Functionality:

Anti-Debugging Block:

Supported Systems:

  • Windows 10
  • Windows 8.1
  • Windows 8.0
  • Windows 7
  • Windows Vista

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

  • GAV: RagnarLocker.RSM_2 (Trojan)

Appendix:

Sample SHA256 Hash: 0766beb30c575fc68d1ca134bd53c086d2ce63b040e4d0bbd6d89d8c26ca04f6

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
PDF campaign distributing Ursnif through malicious VBS
Apache Log4j StrSubstitutor Vulnerability
Upatre.SMJ a Malware Hides in encrypted PNG Image
New Locky Ransomware Uses JScript files to avoid detection in the wild (Jul 27,2016)
HTML Application (.HTA) files are being used to distribute Smoke Loader malware
Windows Malware Family FlawedAmmy Disassembled
TeslaCrypt ransomware joins the fee-for-file-recovery trend (May 22nd, 2015)
MS08-067 Server Service Buffer Overflow (Oct 23, 2008)