5 min Security

How do the RagnarLocker cybercriminals operate?

How do the RagnarLocker cybercriminals operate?

Israeli cybersecurity company Sygnia has set its sights on RagnarLocker, a group of ransomware criminals. Using a hodgepodge of self-developed tools and commercial software, the hackers look to penetrate organisational networks, encrypt important data and demand a crypto ransom from their victims.

According to the FBI’s cybercrime hotline, ransomware attacks have been on the rise in recent years. With such an attack, hackers get into an organization’s network and make important data inaccessible. Then the hacker group in question demands a ransom, usually in the form of bitcoin or other crypto currency. Organizations often choose to pay, hoping to prevent sensitive data from being out in the streets or lost.

Tip: How do you prepare your organization for a ransomware attack?

In the case of the RagnarLocker group, the hackers choose to specifically target important institutions. This includes hospitals, essential factories and government organizations. The group has been doing this since at least 2020, when cybersecurity experts first made note of them. The victims mostly originate from North America or Europe.

Sygnia describes the steps the hacker group takes, starting with invasion and ending with exploitation. Note that with any hacker group, there is a good reason to evolve their tactics. Developers plug software leaks with each new update. Additionally, in time, the patterns of cybercrime techniques start to stand out to authorities.

First steps

RagnarLocker is both the name of the hacker group and the malware it deploys. There are many types of malware, but ultimately only a handful of ways to smuggle them into an organisation. For example, a malicious actor can try to scam someone by email or exploit weaknesses in outward-facing software. Sygnia’s report involves an incident in which hackers exploited such a weakness, but it provides no further details about the nature of the incident.

After the first system is infected, the ransomware is displayed in the C: folder. Next, the hackers deploy commercial tools, including some of Microsoft’s own, to comprehensively scour the target network and look for users with remote access. They do this by searching the Windows log files that refer to remote desktop sessions. Once a user with access to other PCs within the organization is infected, the ransomware can be deployed. A salient detail is that the process stops if a system language from the former Soviet Union is recognized. Everyone in those areas is thus spared.

To hijack an IT administrator’s privileges within the organizations, the hackers dump (read: copy) the LSASS (Local Security Authority Subsystem Service) process. In other words, one obtains the access key that a system administrator uses to open the doors to another user’s computer.

RagnarLocker then uses remote tools to further coordinate the attack. Both the so-called Remote Manipulator System (RMS) and the perfectly legitimate AnyDesk are put to work in an attack by this group. RMS is also used by cybercriminals associated by authorities with the Russian Secret Service (FSB). Using third-party tools, RagnarLocker members then search for important data, including using the query “confidential”. The data is subsequently copied and encrypted. The group again stashes the necessary tools within frequently used folders on the C: drive.


The important data is then encrypted, which adds the extension .rgnr with a variable. Everything from browsers to the Recycle Bin becomes inaccessible to a user sitting at their desk. All one can see is a Notepad message. This message explains to the victim what happened, that all data is at risk and indicates that there isn’t much time to pay up. A countdown timer is accompanied by a chat function, for some questions about the further process. When the countdown hits zero, the data is published on RagnarLocker’s darkweb site.

Those who choose not to pay risk the loss of numerous data to malicious actors. The damage can then be difficult to assess, for example for a bank and its customers or a hospital and its patients. This threat alone will cause a lot of uproar at an organization. A good reason to have a safeguards in place, then. More on that later.

Those who do pay up not only stand to lose crypto coins. Even if an organization pays up and resecures access to its own data, the stolen files remain available to RagnarLocker itself. The hacker collective may not publish the data, but it does post the name of the defrauded organization online. For many companies, that can already cause a lot of reputational damage. Any bank that does not appear to have its own security up to par will attract fewer customers. In short, plenty of reason to arm yourself as an organization against these cybercrime tactics.


As mentioned before, RagnarLocker depends on vulnerabilities in external software. The usual advice not to simply trust emails from outside the organization is therefore not particularly relevant in this case. Common malware can be caught by antivirus software, but it must be up-to-date. Sygnia explains some additional steps that may come in handy to protect against RagnarLocker.

The cybersecurity firm recommends a PIM/PAM solution. These forms of identity and access management (IAM) allow companies to control access to users. The goal is to use system administrator accounts to provide access to users only where it is really needed. This limits the freedom of movement for cybercriminals within the network if they do manage to get in.

Again, companies would rather avoid an attack altogether. Still, there are a number of ways to detect and contain the malware if it is actively engaged inside the network. Sygnia states that common folders on the C drive should be closely monitored. Unique workstation names, suspicious Windows logging data and IP uploads to known RagnarLocker file locations can all be signs of an attack. Finally, Sygnia has the naming conventions and tools that characterize this particular cybercrime network’s modus operandi. It may therefore become necessary for RagnarLocker criminals to change their tactics.

Tip: Genesis Market: how did this criminal marketplace work and how was it rolled up?