THREAT ANALYSIS REPORT: Ragnar Locker Ransomware Targeting the Energy Sector

Event ID1532
UUID8dbeaaac-a671-4a02-8dab-5eec2a1c935b 
Creator orgCUDESO
Owner orgLUNCHBOX
Creator useradmin@admin.test
Protected Event (experimental)  Event is in unprotected mode.
Tagsmisp:tool=”misp-scraper”x osint:source-type=”blog-post”x misp:event-type=”collection”x workflow:state=”complete”x tlp:whitex   
Date2022-09-12
Threat LevelMedium
AnalysisCompleted
DistributionAll communities   
PublishedYes 2022-09-21 19:38:18
#Attributes47 (1 Object)
First recorded change2022-09-12 12:14:46
Last change2022-09-12 14:08:17
Modification map
Sightings0 (0) – restricted to own organisation only.  

Order by date Order by count

Related Events

abuse.chThreatFox IOCs for 2021-12-08
2021-12-081

Related Feeds (show)

Top of Form

Bottom of Form

PivotsGalaxyEvent graphEvent timelineCorrelation graphATT&CK matrixEvent reportsAttributesDiscussion

1532: Ragnar Locker Ransomware Targeting the Energy Sector

Galaxies

Sector 

  •  Energy   

Malpedia 

  •  RagnarLocker (Windows)   

Malware 

  •  Ragnar Locker – S0481   

Ransomware 

  •  Ragnar Locker   

Country 

  •  greece   

Attack Pattern 

  •  System Information Discovery – T1082   
  •  Process Discovery – T1057   
  •  System Owner/User Discovery – T1033   
  •  Disable or Modify Tools – T1562.001   
  •  Data Encrypted for Impact – T1486   
  •  Service Stop – T1489   
  •  Inhibit System Recovery – T1490   
  •  System Location Discovery – T1614   

Top of Form

Bottom of Form

Top of Form

Bottom of Form

Top of Form

Bottom of Form

Scope toggle  Deleted Decay score SightingDB Context Related Tags Filtering tool

DateOrgCategoryTypeValueTagsGalaxiesCommentCorrelateRelated EventsFeed hitsIDSDistributionSightingsActivityActions
2022-09-12Payload deliveryfilenamentuser.dat.log      Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-12Payload deliveryfilenamebootfront.bin      Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-12Payload deliverysha2569b62cdb57f4c34924333dfa3baefd993efeab68109580b682b074f0e73b63983     Ragnar Locker Binary  Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-12Payload deliverysha256c2bd70495630ed8279de0713a010e5e55f3da29323b59ef71401b12942ba52f6     Ragnar Locker Binary  Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-12Payload deliverysha2565469182495d92a5718e0e1dcdf371e92b79724e427050154f318de693d341c89     Ragnar Locker Binary  Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-12Payload deliverysha256ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597     Ragnar Locker Binary  Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-12Payload deliverysha256dd5d4cf9422b6e4514d49a3ec542cffb682be8a24079010cda689afbb44ac0f4     Ragnar Locker Binary  Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-12Payload deliverysha256cf5ec678a2f836f859eb983eb633d529c25771b3b7505e74aa695b7ca00f9fa8     Ragnar Locker Binary  Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-12Payload deliverysha256ce33096639fb5c51684e9e3a7c7c7161884ecad29e8d6ad602fd8be42076b8d4     Ragnar Locker Binary  Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-12Payload deliverysha256b72beb391c75af52c6fb62561f26214b682f12d95660b128d9e21e18e3bff246     Ragnar Locker Binary  Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-12Payload deliverysha25691128776769d4f78dd177695df610463a0b05e2174ba76d0489b976b99cae223     Ragnar Locker Binary  Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-12Payload deliverysha256b670441066ff868d06c682e5167b9dbc85b5323f3acfbbc044cabc0e5a594186     Ragnar Locker Binary  Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-12Payload deliverysha256b6663af099538a396775273d79cb6fff99a18e2de2a8a2a106de8212cc44f3e2     Ragnar Locker Binary  Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-12Payload deliverysha256b0d8f9aa9566245362d7e7443ab4add80ce90fbdf35a30df9a89e9dae5f22190     Ragnar Locker Binary  Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-12Payload deliverysha256afab912c41c920c867f1b2ada34114b22dcc9c5f3666edbfc4e9936c29a17a68     Ragnar Locker Binary2108   Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-12Payload deliverysha256ac16f3e23516cf6b22830c399b4aba9706d37adceb5eb8ea9960f71f1425df79     Ragnar Locker Binary  Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-12Payload deliverysha256a8ee0fafbd7b84417c0fb31709b2d9c25b2b8a16381b36756ca94609e2a6fcf6     Ragnar Locker Binary  Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-12Payload deliverysha2569706a97ffa43a0258571def8912dc2b8bf1ee207676052ad1b9c16ca9953fc2c     Ragnar Locker Binary  Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-12Payload deliverysha25630dcc7a8ae98e52ee5547379048ca1fc90925e09a2a81c055021ba225c1d064c     Ragnar Locker Binary  Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-12Payload deliverysha2563b43751ed88e4d1f82cf52ca2d4477e3e35c35f08c1b4e3ab21c80720601e804     Ragnar Locker Binary  Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-12Payload deliverysha25660233700ee64b9e5d054fa551688e8617328b194534a0fe645411685ce467128     Ragnar Locker Binary  Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-12Payload deliverysha25610f9ad4e9f6e0dc1793be80203b258f8c5114d01cb17307c1b2fdcca37d4edf9     Ragnar Locker Binary  Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-12Payload deliverysha25604c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87     Ragnar Locker Binary  Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-12Payload deliverysha2567af61ce420051640c50b0e73e718dd8c55dddfcb58917a3bead9d3ece2f3e929     Ragnar Locker Binary  Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-12Payload deliverysha2566fd4ec6611bf7e691be80483bcf860e827d513df45e20d78f29cf4638b6c20e8     Ragnar Locker Binary  Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-12Payload deliverysha25668eb2d2d7866775d6bf106a914281491d23769a9eda88fc078328150b8432bb3     Ragnar Locker Binary  Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-12Payload deliverysha25663096f288f49b25d50f4aea52dc1fc00871b3927fa2a81fa0b0d752b261a3059     Ragnar Locker Binary  Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-12Payload deliverysha256041fd213326dd5c10a16caf88ff076bb98c68c052284430fba5f601023d39a14     Ragnar Locker Binary  Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-12Payload deliverysha2563bc8ce79ee7043c9ad70698e3fc2013806244dc5112c8c8d465e96757b57b1e1     Ragnar Locker Binary  Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-12Payload deliverysha2560aaa7a3596af6b1aae02b6e6ca878045360d467f96b0687363a9dce19ea60a36     Ragnar Locker Binary  Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-12Payload deliverysha2560766beb30c575fc68d1ca134bd53c086d2ce63b040e4d0bbd6d89d8c26ca04f6     Ragnar Locker Binary  Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-12Payload deliverysha2569416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151     Ragnar Locker Binary  Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-12Payload deliverysha2565fc6f4cfb0d11e99c439a13b6c247ec3202a9a343df63576ce9f31cffcdbaf76     Ragnar Locker Binary  Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-12Payload deliverysha2561318f8a4566a50537f579d24fd1aabcf7e22e89bc75ffd13b3088fc6e80e9a2a     Ragnar Locker Binary  Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-12Payload deliverysha2561472f5f559f90988f886d515f6d6c52e5d30283141ee2f13f92f7e1f7e6b8e9e     Ragnar Locker Binary  Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-12Payload deliverysha2561602d04000a8c7221ed0d97d79f3157303e209d4640d31b8566dd52c2b09d033     Ragnar Locker Binary  Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-12Payload deliverysha2569bdd7f965d1c67396afb0a84c78b4d12118ff377db7efdca4a1340933120f376     Ragnar Locker Binary  Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-12Object name: file 

References: 
Inherit 
2022-09-12Payload deliveryfilename: filenameRGNR_AABBCCDD.txtransomware:element=”ransomnote”x     Replace with the hashed computer name  Top of Form Bottom of FormInherit   (0/0/0)         
2022-09-12Otherfullpath: text%PUBLIC%\Documents\       Top of Form Bottom of FormInherit   (0/0/0)     
2022-09-12Othercommentvss, sql, memtas, mepocs, sophos, veeam, backup, pulseway, logme, logmein, connectwise, splashtop, kaseya, vmcompute, Hyper-v, vmms, Dfs    Stopped servicesInherit   (0/0/0)     
2022-09-12OthercommentAzerbaijan Armenia Belarus Kazakhstan Kyrgyzstan Moldova Tajikistan Russia Turkmenistan Uzbekistan
Show all
    Excluded countriesInherit   (0/0/0)     
2022-09-12Othercommentwmic.exe shadowcopy delete: This system command deletes all shadow copies on the victim’s system, preventing data recovery by the victim    Ragnar Locker spawns the following children process:Inherit   (0/0/0)     
2022-09-12Othercommentvssadmin delete shadows /all /quiet: This system command also deletes shadow copies, preventing data recovery by the victim    Ragnar Locker spawns the following children process:Inherit   (0/0/0)     
2022-09-12Othercommentnotepad.exe [User path]\RGNR_AABBCCDD.txt : This command launches Notepad.exe to show the ransom note to the victim    Ragnar Locker spawns the following children process:Inherit   (0/0/0)     
2022-09-12Artifacts droppedregkey*%LOCALAPPDATA%\packages\microsoft.windows.cortana\_cw5n1h2txyewy\localstate\devicesearchcache\appcache133057346751796032.txt.ragnar\_aabbddcc*      Top of Form Bottom of FormInherit   (0/0/0)     
2022-09-12External analysislinkhttps://www.cybereason.com/blog/threat-analysis-report-ragnar-locker-ransomware-targeting-the-energy-sector    Blog URL  Top of Form Bottom of FormInherit   (0/0/0)     
2022-09-12OthercommentTHREAT ANALYSIS REPORT: Ragnar Locker Ransomware Targeting the Energy Sector    Blog titleInherit   (0/0/0)