(McAfee) The RagnarLocker ransomware first appeared in the wild at the end of December 2019 as part of a campaign against compromised networks targeted by its operators.
The ransomware code is small (only 48kb after the protection in its custom packer is removed) and coded in a high programming language (C/C++). Like all ransomware, the goal of this malware is to encrypt all files that it can and request a ransom for decrypting them.
RagnarLocker�s operators, as we have seen with other bad actors recently, threaten to publish the information they get from compromised machines if ransoms are not paid.
After conducting reconnaissance, the ransomware operators enter the victim�s network and, in some pre-deployment stages, steal information before finally dropping the ransomware that will encrypt all files in the victim�s machines.
The most notable RagnarLocker attack to date saw this malware deployed in a large company where the malware operators then requested a ransom of close to $11 million USD in return for not leaking information stolen from the company. In this report we will talk about the sample used in this attack.