data

General
Target

data

Size

204KB

Sample

211020-kxgyrahgcq

Score
10 /10
MD5

fcd9a9e76d99cf8b85a817eee770a333

SHA1

1a7a938bb4b88c9a840c0f2935663d3a207c3f26

SHA256

0766beb30c575fc68d1ca134bd53c086d2ce63b040e4d0bbd6d89d8c26ca04f6

SHA512

ae1c9536e717efebd175ba6cd820740a007c0b31bdcff94aab6b55f940aee4e2406a1e1d6a83ca410ff0018ea049b856a3dc914c49faa3cf74b9e557faab58e5

Malware Config

Extracted

Path C:\Users\Public\Documents\!!!_READ_ME_7E8535F5_!!!.txt
Family ragnarlocker
Ransom Note
***************************************************************************************************************** HELLO Biologicale_Ltd ! IF YOU ARE READING THIS, IT'S MEAN YOUR DATA WAS ENCRYPTED AND YOU SENSITIVE PRIVATE INFORMATION WAS STOLEN! READ CAREFULLY THE WHOLE INSTRUCTION NOTES TO AVOID DIFFICULTIES WITH YOUR DATA by RAGNAR_LOCKER ! ***************************************************************************************************************** *YOU HAVE TO CONTACT US via LIVE CHAT IMMEDIATELY TO RESOLVE THIS CASE AND MAKE A DEAL* (contact information you will find at the bottom of this notes) !!!!! WARNING !!!!! DO NOT Modify, rename, copy or move any files or you can DAMAGE them and decryption will be impossible. DO NOT Use any third-party or public Decryption software, it also may DAMAGE files. DO NOT Shutdown or Reset your system, it can DAMAGE files ------------------------------------- There is ONLY ONE possible way to get back your files - contact us via LIVE CHAT and pay for the special DECRYPTION KEY ! For your GUARANTEE we will decrypt 2 of your files FOR FREE, to show that it Works. Don't waste your TIME, the link for contact us will be deleted if there is no contact made in closest time and you will NEVER restore your DATA. !!! HOWEVER if you will contact us within 2 day since get penetrated - you can get a very SPECIAL PRICE. ! WARNING ! Whole your network was fully COMPROMISED! We has BREACHED your security perimeter and DOWNLOADED your PRIVATE SENSITIVE Data, including your: Accounting, Financial, Confidential and/or Proprietary Business information, Medical Certificates, Clients and Employees personal information, Business Agreements and Contracts, Administrator's Folders and many other! Also we have your Private Corporate Correspondence, Emails and Workbooks, Private Documents and etc. If the deal wouldn't be made than all your data can be sold through an auction to any third-parties. - There are some screenshots just as a proofs of what we got on you. (you can find more on Leak Page) Screenshots: https://prnt.sc/v36ygd https://prnt.sc/v37089 https://prnt.sc/v36yxt https://prnt.sc/v36zio https://prnt.sc/v36xi8 https://prnt.sc/v370oi ------------------------------------- Whole data that gathered from your private files and directories could be SOLD to any third-parties and/or PUBLISHED in MASS MEDIA for BREAKING NEWS! Yours partners, clients and investors would be notified about LEAK, the consequences will have a DISASTROUS effect on your company's reputation! However if we make a Deal everything would be kept in Secret and all your data will be Restored, so it is much cheaper and easier way for you than lawsuits expenses. You can take a look for some more examples of what we have, right now it's a private, temporary and hidden page, but it could become permanent and accessable for Public View if you decide NOT pay. Use Tor Browser to open the link: http://p6o7m73ujalhgkiv.onion/?38KP4j2zYlWcWRm6zsLg To view the page's content use password: Srw07kjats ============================================================================================================== ! HERE IS THE SIMPLE MANUAL HOW TO GET CONTACT WITH US VIA LIVE CHAT ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! a) Download and install TOR browser from this site : https://torproject.org b) For contact us via LIVE CHAT open our website : http://rgnar43spcnsocswaw22lmk7jnget5f6vow7kqmnf4jc6hfwpiwoajid.onion/client/?384fAE1DDC9DE3D3b670f7961AEEAA6DBDaCfb972D6Fff48Baf0bcc6c1da2FAc c) To visit our NEWS LEAK BLOG with your data, open this website : http://p6o7m73ujalhgkiv.onion/?http://p6o7m73ujalhgkiv.onion/?38KP4j2zYlWcWRm6zsLg ( password:Srw07kjats) d) If Tor is restricted in your area, use VPN When you open LIVE CHAT website follow rules : Follow the instructions on the website. At the top you will find CHAT tab. Send your message there and wait for response (we are not online 24/7, So you have to wait for your turn). *********************************************************************************** ---BEGIN RAGN KEY--- Mzg0ZkFFMUREQzlERTNEM2I2NzBmNzk2MUFFRUFBNkRCRGFDZmI5NzJENkZmZjQ4QmFmMGJjYzZjMWRhMkZBYw== ---END RAGN KEY--- ***********************************************************************************
URLs

https://prnt.sc/v36ygd

https://prnt.sc/v37089

https://prnt.sc/v36yxt

https://prnt.sc/v36zio

https://prnt.sc/v36xi8

https://prnt.sc/v370oi

http://p6o7m73ujalhgkiv.onion/?38KP4j2zYlWcWRm6zsLg

http://rgnar43spcnsocswaw22lmk7jnget5f6vow7kqmnf4jc6hfwpiwoajid.onion/client/?384fAE1DDC9DE3D3b670f7961AEEAA6DBDaCfb972D6Fff48Baf0bcc6c1da2FAc

http://p6o7m73ujalhgkiv.onion/?http://p6o7m73ujalhgkiv.onion/?38KP4j2zYlWcWRm6zsLg

Targets
Target

data

MD5

fcd9a9e76d99cf8b85a817eee770a333

Filesize

204KB

Score
10/10
SHA1

1a7a938bb4b88c9a840c0f2935663d3a207c3f26

SHA256

0766beb30c575fc68d1ca134bd53c086d2ce63b040e4d0bbd6d89d8c26ca04f6

SHA512

ae1c9536e717efebd175ba6cd820740a007c0b31bdcff94aab6b55f940aee4e2406a1e1d6a83ca410ff0018ea049b856a3dc914c49faa3cf74b9e557faab58e5

Tags

Signatures

  • RagnarLocker

    Description

    Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Modifies boot configuration data using bcdedit

    Tags

    TTPs

    Inhibit System Recovery
  • Checks BIOS information in registry

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery
  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery
  • Writes to the Master Boot Record (MBR)

    Description

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    Tags

    TTPs

    Bootkit

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Initial Access
              Lateral Movement
                Persistence
                Privilege Escalation
                  Tasks