New Ransomware — Ragnar Locker — Evades Modern Antivirus Software


New Ransomware — Ragnar Locker — Evades Modern Antivirus Software


For those businesses operating in a Windows environment, a new malware threatens to encrypt and ransom sensitive information; all while going undetected by standard antivirus applications.

Discovered on May 21, 2020 by the UK cybersecurity firm known as Sophos, ‘Ragnar Locker’ was engineered to strictly target corporate offices and government agencies in hopes of shutting down entire operations.

“In the last few months, we’ve seen ransomware evolve in several ways,” said Sophos Director of Engineering and Threat Mitigation, Mark Loman. “The Ragnar Locker adversaries are taking ransomware to a new level and thinking outside of the box.”

What is Ragnar Locker & Ransomware?

This isn’t the first malware that’s attempted to hack into business networks in hopes of encrypting data for monetary gain. So how is Ragnar Locker different from what cybersecurity professionals have seen in the past? The differentiating factor lies in Ragnar Locker’s ability to infiltrate Windows devices managed by IT providers with improperly secured Windows Remote Desktop Protocols. By taking hold of this platform, the group behind the new malware is able to gain administrator-level access to entire networks. In turn, this allows them to move across the network, infecting Windows clients and servers through the use of on-board tools, like Powershell.

Like most ransomwares, once business operations screech to a halt, the group then demands a fee to decrypt data; with costs ranging from hundreds of thousands to millions of dollars. In turn, if an organization refuses to pay this money, Ragnar Locker developers threaten to release sensitive information to the public. And although Ragnar Locker is still relatively new to the cryptolocker scene, it’s already begun to make a name for itself. Most notably, Portuguese energy giant, Energia de Portugal was hit with a similar attack from the group behind Ragnar Locker back in late April 2020. And, as of the time of this article’s writing, the organization is still dealing with the lingering repercussions of this attack.

How to Detect Ragnar Locker

Many business owners and IT professionals may be curious to know if there are any tell-tale signs to look out for when it comes to Ragnar Locker attacks. Unfortunately, this method of malware is extremely stealthy; leaving very little evidence of its intrusion on the front-end of infected devices. In a test conducted by Sophos Labs, Ragnar Locker used Windows Group Policy Objects to launch a Microsoft Installer, pass parameters, and silently download malware from an off-site web server. Once installed, the virus then launched a Windows XP virtual machine to hide the malicious code from malware detection programs. Because the virtual machine is not designated as a threat by antivirus software, it was able to quickly replace both locally stored and shared files with encrypted versions. In a statement released by Sophos, this is the first time the organization has seen virtual machines used in such capacity during a successful ransomware attack. Aside from this comment, Sophos has not revealed the likelihood that this method of ransomware has been used for widespread attacks.

Keeping that in mind, businesses should understand that malware detection programs serve as only one layer of cybersecurity against ransomware threats. Using these platforms in tandem with other security measures, such as firewalls and end-point detection and response policies, mitigates the likelihood of a successful attack. For more information on these services, Rocket IT encourages you to speak with your IT department or contact our team at 770-441-2520.

Posted in , ,