Ragnar Locker ransomware encryption examined

SecurityWeek reports that Ragnar Locker ransomware had its encryption process examined by Cybereason researchers. Execution of Ragnar Locker prompts a location check, wherein it will terminate the process should the target be located in any country within the Commonwealth of Independent States. However, those not within the CIS will have system information collected and concealed with a custom hashing function. Numerous services within the ransomware strain are then decrypted prior to the decryption of an embedded RSA public key and ransom note. Ragnar Locker then begins encryption of files excluding autoruns.inf, boot.ini, bootfront.bin, bootsect.bak, and many others. Encrypted files are then given the '.ragnar_[hashed computer name]' suffix before the creation of a notepad.exe process that displays the ransom note, according to the report. "In general, ransomware operatives doing double extortion always require full privileges on the network they are looking to encrypt... Between the initial access phase (when they take control of an asset, for instance through spearphishing) and the encryption phase, they have access to many machines, which they can extract data from and send through exfiltration services / external domains," said Cybereason Global SOC Principal Security Analyst Loic Castel.