![]() The check against the LOCALE_SYSTEM_DEFAULT is to prevent a user from installing a language they would not otherwise use as a means of avoiding infection. CHECK OF THE LANGUAGE AGAINST THE BLACKLIST Once obtained, it will check the system language with the blacklisted languages and, if any of them match, it will terminate itself with the function “TerminateProcess” and with an error result code of 0x29A (as we have seen before with many different malware samples).įIGURE 3. ![]() The languages that are hardcoded are: GeorgianĪfter preparing these strings, the malware uses the function “GetLocaleInfoW” to get the LOCALE_SYSTEM_DEFAULT language as a string. THE LANGUAGE STRINGS EMBEDDED INTO THE CODE IN THE STACK NameĤ8,460 bytes unpacked (can change between samples), packed can be variableħaf61ce420051640c50b0e73e718dd8c55dddfcb58917a3bead9d3ece2f3e929Īs we often see with ransomware, RagnarLocker starts preparing some strings of languages for the CIS countries that are embedded within its own code (in Unicode).įIGURE 2. The attack mentioned earlier took place some days later, but this sample was prepared for the victim, as we will explain later. The unpacked malware is a binary file of 32 bits that can be found as an EXE file.Īs can be seen in the previous screenshot, this sample was compiled on the 6th of April 2020. However, certain McAfee products, including personal antivirus, endpoint, and gateway can protect our customers against the threats that we talk about in this report. In this report we will talk about the sample used in this attack.Īt the time of writing there are no free decryptors for RagnarLocker. The most notable RagnarLocker attack to date saw this malware deployed in a large company where the malware operators then requested a ransom of close to $11 million USD in return for not leaking information stolen from the company. RagnarLocker’s operators, as we have seen with other bad actors recently, threaten to publish the information they get from compromised machines if ransoms are not paid.Īfter conducting reconnaissance, the ransomware operators enter the victim’s network and, in some pre-deployment stages, steal information before finally dropping the ransomware that will encrypt all files in the victim’s machines. Like all ransomware, the goal of this malware is to encrypt all files that it can and request a ransom for decrypting them. ![]() The ransomware code is small (only 48kb after the protection in its custom packer is removed) and coded in a high programming language (C/C++). The RagnarLocker ransomware first appeared in the wild at the end of December 2019 as part of a campaign against compromised networks targeted by its operators.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |