RagnarLocker
_Overview
RagnarLocker is a Ransomware normally associated with the group Viking Spider whose InitialAccess is varied, but as usual, they perform direct attacks trying to exploit systems or after the abuse of legitimate applications or by implanting malware inside these, after these movements, the most common is to gain maximum access and control within the attacked company to encrypt as many computers as possible.
_Technical Analysis
At the first steps, we find a common function in the Ransomwares that tries to determine which country runs the Malware, this is because certain groups use targets depending on the country and avoid certain countries, as we can see it locates which country we belong to using GetLocaleInfoW and compares it to an internal list of countries as an exclusion, in the case that our country was in the list and the function returned any of the list, it would end the execution.
List of country languages:
Belorussian
Azerbaijani
Ukrainian
Moldavian
Georgian
Armenian
Turkmen
Russian
Kyrgyz
Kazakh
Uzbek
Tajik
Later, it obtains the computer name and user data, as well as the MachineGUID of the computer using the Microsoft RegKey Crypthography or the ProductName using the RegKey Windows NT\Current Version, something that Ransomwares usually do to obtain information from the computer that they can then use to identify the machines.
After identifying disks to be encrypted, it is dedicated to enumerate services, in which, we can see that it uses the EnumServiceStatusA, in which it will ask the DB of the control manager (previously opened with OpenSCManagerA) and will compare each one of the services with the internal list, in case it finds something related to its exclusion list it will close it using CloseServiceHandle.
List of exclusion services:
vss
sql
memtas
mepocs
sophos
veeam
backup
pulseway
logme
logmein
connectwise
splashtop
kaseya
After that, it will create the usual ransom note in which it will ask for money (usually cryptocurrencies) to ransom the encrypted files, as we can see, it will first create the file by obtaining from memory the name of the txt and will perform the first creation in \Public\Documents, directory obtained through the CSIDL identifier using SHGetSpecialFolderPathW, after creating it it will rescue from memory both the data it contains in a predefined way and the hash it will create as our identifier that will be used to contact the attackers, in this case using qTox.
Later, it will try to encrypt the files avoiding some folders, files and extensions that it will also check in memory, avoiding touching what it does not need to encrypt or that could alert of its presence, it will make a loop to check the files in each case.
An example of what a short file would look like before and after being encrypted, in which we can see how it will introduce the keys and the RAGNAR tag at the end.
Finally, to execute the txt in the default session in which the RagnarLocker has worked, it performs an Interactive window station in which we will see how it gets the session identifier, the process that is running the Ransomware, duplicate your token, get the session, and so on, to spawn the file in the session and that, at the end of its operation, we know what are the steps and what has happened in each of the affected computers.