Ragnarlocker is a ransomware family first observed in the wild in December 2019. Part of what sets Ragnarlocker attacks apart from many other ransomware operations is the high level of reconnaissance and pre-planning customarily observed in a fully orchestrated attack. Ragnarlocker attacks have also specifically targeted remote management software used by managed service providers (MSPs), such as ConnectWise and Kaseya, to gain entry into networks. These attacks are also exclusively focused on Microsoft Windows machines and English language users outside of the Commonwealth of Independent States.
Generally speaking, Ragnarlocker is used as a final stage, deployed manually only after a network is compromised and confidential data of the target has been exfiltrated. Most documented attacks have been highly targeted and have included ransom notes that call victim organizations out by name. These notes also generally contain an email address, a bitcoin wallet address, and links to dark web blogs where victims receive a hardcoded link to a page featuring a countdown for their particular ransom, as well as archives of files obtained illegally from other company breaches to serve as an intimidating proof of concept.
Looking at an attack from May 2020, Ragnarlocker gained its initial foothold within a target network via exploits within remote management software used by managed service providers that many large companies use to outsource their IT infrastructure. However, some Ragnarlocker attacks are carried out using brute-forced Windows Remote Desktop Protocol (RDP) connections. Once attackers gained administrator-level domain access, they then were free to move laterally across the network using native Windows tools like Powershell and Windows Group Policy Objects (GPOs) to invade Windows clients and servers. With access to Windows clients and servers the attackers had the ability to run executables to deploy the next stage.
Once a suitable location has been found, an executable starts downloading the payload itself. Analyzed attacks have found this packed payload to generally consist of a large ~120 MB installer that contains an even larger ~280 MB virtual image that’s used to deploy a Windows XP VirtualBox virtual machine which in turn hides a diminutive 49 kb ransomware executable. Because VirtualBox allows files to be shared with the guest, the VM can access the local disk and any mapped network drives. All that to say, once the drives are mapped in the VM, the Ragnarlocker had free reign to encrypt any file on those devices while the virtual machine serves as a smokescreen, allowing the encryption process to take place within its confines, often avoiding detection from a host machine’s antivirus suite.