RagnarLocker is a ransomware family commonly associated in the provided content with the Viking Spider threat group. The content describes it as used in human-operated intrusions in which operators seek broad access and control inside a victim environment before encryption. Reported initial access methods include direct exploitation of systems, abuse of legitimate applications, and implantation of malware inside legitimate applications. Separate reporting in the content also states Mandiant observed evidence of UNC2447-affiliated actors previously using RAGNARLOCKER ransomware.
Behaviorally, RagnarLocker checks the victim system locale at startup using GetLocaleInfoW and terminates if the language matches an internal exclusion list dominated by CIS-region languages, including Belorussian, Azerbaijani, Ukrainian, Moldavian, Georgian, Armenian, Turkmen, Russian, Kyrgyz, Kazakh, Uzbek, and Tajik. It collects host and victim-identification data including the computer name, user data, the MachineGUID from the Microsoft Cryptography registry key, and the Windows ProductName from Windows NT\CurrentVersion. It identifies disks prior to encryption and enumerates services via OpenSCManagerA and EnumServiceStatusA, comparing service names against an internal list associated with backup, security, and remote-management tooling. Service names mentioned in the content include vss, sql, memtas, mepocs, sophos, veeam, backup, pulseway, logme, logmein, connectwise, splashtop, and kaseya.
The malware creates a ransom note in Public\Documents, obtains that path via SHGetSpecialFolderPathW, and stores or generates a victim identifier hash for communications. The content states RagnarLocker uses qTox for victim contact and that the ransom note demands payment, usually in cryptocurrency. During encryption, RagnarLocker skips selected folders, files, and extensions, and encrypted files contain inserted keys and a RAGNAR tag at the end. It also duplicates a token and uses interactive session logic to launch the ransom note in the default user session.
The content additionally references RagnarLocker in operational reporting: it is described as deployed by a group that heavily uses RDP and Cobalt Strike with stolen credentials, and it is cited in an attack against Israel's Mayanei Hayeshua hospital shortly before the October 2023 Israel-Hamas war.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Overview RagnarLocker is a Ransomware normally associated with the group Viking Spider... Finally, to execute the txt in the default session in which the RagnarLocker has worked...
Mandiant has observed evidence of UNC2447 affiliated actors previously using RAGNARLOCKER ransomware.
8 distinct techniques documented for this family, organized by ATT&CK tactic.
Finally, to execute the txt in the default session in which the RagnarLocker has worked, it performs an Interactive window station in which we will see how it gets the session identifier, the process that is running the Ransomware, duplicate your token, get the session, and so on, to spawn the file in the session
Finally, to execute the txt in the default session in which the RagnarLocker has worked, it performs an Interactive window station in which we will see how it gets the session identifier, the process that is running the Ransomware, duplicate your token, get the session, and so on, to spawn the file in the session
After identifying disks to be encrypted, it is dedicated to enumerate services, in which, we can see that it uses the EnumServiceStatusA
as well as the MachineGUID of the computer using the Microsoft RegKey Crypthography or the ProductName using the RegKey Windows NT\Current Version
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware family listed among malicious activity associated with ISPsystem-derived hostnames.
Ransomware brand referenced as linked/associated to RansomHouse per reporting; no additional technical detail provided.
Ransomware used by an organized cybercrime group to conduct disruptive/extortionate attacks, including against healthcare targets.
Ransomware that performs locale-based execution checks to avoid certain countries, gathers host identifiers such as computer name, user data, MachineGUID, and ProductName, enumerates services to avoid or interfere with backup/security-related services, creates a ransom note, encrypts files while skipping selected folders/files/extensions, appends a RAGNAR tag, and launches the ransom note in the user session.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.