General

  • Target

    ragnar_locker_GST_AutoLeather

  • Size

    48KB

  • Sample

    200803-rxkkhy9x5n

  • MD5

    1ee5456c1226affd7b72bcdf3db443b7

  • SHA1

    e22344a92c91b567a6cba7eb66686c438d479462

  • SHA256

    dd5d4cf9422b6e4514d49a3ec542cffb682be8a24079010cda689afbb44ac0f4

  • SHA512

    326e647615cab28c2a9e065ad628059b739d207a319c6631f9ed57a97548c67565c096d7227a6dc880484b65013977e95dd25e3ec8258c5e43c4567f0d86af00

Malware Config

Extracted

Path

C:\Users\Public\Documents\RGNR_AC7AABB2.txt

Family

ragnarlocker

Ransom Note
***************************************************************************************************************** HELLO GST_AutoLeather ! If you reading this message, then your network was PENETRATED and all of your files and data has been ENCRYPTED by RAGNAR_LOCKER ! ***************************************************************************************************************** !!!!! WARNING !!!!! DO NOT Modify, rename, copy or move any files or you can DAMAGE them and decryption will be impossible. DO NOT use any third party or public decryption software, it also may damage files. DO NOT Shutdown or reset your system ------------------------------------- There is ONLY ONE possible way to get back your files - contact us and pay for our special decryption key ! For your GUARANTEE we will decrypt 2 of your files FOR FREE, as a proof of our capabilities Don't waste your TIME, the link for contacting us will be deleted if there is no contact made in closest future and you will never restore your DATA. HOWEVER if you will contact us within 2 day since get penetrated - you can get a very SPECIAL PRICE. WARNING ! We had downloaded more than 1TB of your private information including billing info, clients private data, contracts, agreements and a lot of other sensitive information. Also we get everything from such files as "topsecret.doc" where was an access to your's SQL databases, Sharepoints, Barracuda Backups, Admin credentials and other services. You can check some proofs here: https://prnt.sc/s1xrct https://prnt.sc/s1xrpe https://prnt.sc/s1xs5s https://prnt.sc/s1xt9j Whole data gathered from your SECRET files and directories could be published for everyone's view and your partners, clients and investors would be notified about leak. However if we make a deal everything would be kept in secret and all your data will be restored. You can take a look on some examples of what we have, right now it's a private hidden page. Use Tor Browser to open the link: http://p6o7m73ujalhgkiv.onion/in-project-temporarypage-18-04/ to view the page's content use password: leather9912gst013 ============================================================================================================== ! HERE IS THE SIMPLE MANUAL HOW TO GET CONTACT WITH US VIA LIVE CHAT ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! a) Download and install TOR browser from this site : https://torproject.org b) For contact us via LIVE CHAT open our website : http://stppd5as5x4hxs45.onion/client/?1cdCAFdD70D2Eb1E078BCDED49fAb75d6315592715f319aFcb3c6106eFda88a2 c) For visit our NEWS PORTAL with your data, open this website : http://p6o7m73ujalhgkiv.onion/in-project-temporarypage-18-04/ ( password: leather9912gst013 ) d) If Tor is restricted in your area, use VPN When you open LIVE CHAT website follow rules : Follow the instructions on the website. At the top you will find CHAT tab. Send your message there and wait for response (we are not online 24/7, So you have to wait for your turn). *********************************************************************************** ---RAGNAR SECRET--- MWNkQ0FGZEQ3MEQyRWIxRTA3OEJDREVENDlmQWI3NWQ2MzE1NTkyNzE1ZjMxOWFGY2IzYzYxMDZlRmRhODhhMg== ---RAGNAR SECRET--- ***********************************************************************************
URLs

https://prnt.sc/s1xrct

https://prnt.sc/s1xrpe

https://prnt.sc/s1xs5s

https://prnt.sc/s1xt9j

http://p6o7m73ujalhgkiv.onion/in-project-temporarypage-18-04/

http://stppd5as5x4hxs45.onion/client/?1cdCAFdD70D2Eb1E078BCDED49fAb75d6315592715f319aFcb3c6106eFda88a2

Targets

    • Target

      ragnar_locker_GST_AutoLeather

    • Size

      48KB

    • MD5

      1ee5456c1226affd7b72bcdf3db443b7

    • SHA1

      e22344a92c91b567a6cba7eb66686c438d479462

    • SHA256

      dd5d4cf9422b6e4514d49a3ec542cffb682be8a24079010cda689afbb44ac0f4

    • SHA512

      326e647615cab28c2a9e065ad628059b739d207a319c6631f9ed57a97548c67565c096d7227a6dc880484b65013977e95dd25e3ec8258c5e43c4567f0d86af00

    • RagnarLocker

      Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Drops startup file

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Modifies service

MITRE ATT&CK Enterprise v6

Tasks