If you’re battling Ragnar Locker ransomware or a similar threat, you’ve come to the right place, regardless of your existing BlackBerry relationship. Vss, sql, memtas, mepocs, sophos, veeam, backup, pulseway, logme, logmein, connectwise, splashtop, mysql, Dfs, vmms, vmcompute, Hyper-V Sql, mysql, veeam, oracle, ocssd, dbsnmp, synctime, agntsvc, isqlpussvc, xfssvccon, mydesktopservice, ocautoupds, encsvc, firefox, tbirdconfig, mydesktopqos, ocomm, dbeng50,sqbcoreservice, excel, infopath, msaccess, mspub, onenote, outlook, powerpnt, steam, thebat, thunderbird, visio, winword, wordpad, EduLink2SIMS, bengine, benetns, beserver, pvlsvr, beremote,VxLockdownServer, postgres, fdhost, WSSADMIN, wsstracing, OWSTIMER, dfssvc.exe, swc_service.exe, sophos, SAVAdminService, SavService.exe, Hyper-V The following Yara rule was authored by the BlackBerry Threat Research Team to catch the threat described in this document:ĭescription = "Detects W32 Ragnar Locker ransomware"Īuthor = "Blackberry Threat Research Team " However, the files that are listed in the image above under the phrase “The first batck (sp) of files is here” can still be downloaded, as they are not hosted on Mega.nz. Ragnar Locker then deletes shadow copies and backups stored on the victim’s computer, to ensure the user can’t easily restore their encrypted files (unless they are a member of the Time Variance Authority): If they are running, they will be stopped: The malware also checks for the following processes. If they are found, the services will be stopped: Ragnar Locker will then perform checks on the following services.
If one of the following former Soviet region languages are found, the malware will immediately terminate its execution: Upon execution, the malware performs a language check on the user’s system. Ragnar Locker itself is quite small and low-key, only around 55KB in size. According to the website, this information has been carefully gathered for a long time. They currently claim to have exfiltrated 1.5TB of data from ADATA.
Upon visiting Ragnar Locker’s dark web site, their latest victims can be seen under their self-dubbed “wall of shame”. If the victim refuses to pay, their data is published to a site located on the dark web at hxxp//p6o7m73ujalhgkivonion/?BatxqaHm8rKxIP16Z1xB. Like many other well-known ransomware variants (such as DarkSide, Avaddon, and REvil), the current variant of Ragnar Locker uses a double extortion technique to encourage victims to pay, where data is both encrypted locally and exfiltrated before the ransom demand is made. The first variant of this family appeared in late 2019. Ragnar Locker ransomware has made international headlines lately due to targeted attacks against ADATA, a leading Taiwanese manufacturer of high-performance DRAM modules and NAND Flash products.
#Pulseway outlook sync tool download update#
Update 03.09.22: Ragnar Locker gang breaches 52 critical infrastructure organizations in the U.S.