General

  • Target

    birch_ragnarlocker

  • Size

    49KB

  • Sample

    200801-7lxn89dqex

  • MD5

    3dabfb99101821ae0e89389a9c9d28a5

  • SHA1

    72b19c503a642770945355ea0dce96bf9d735f81

  • SHA256

    1602d04000a8c7221ed0d97d79f3157303e209d4640d31b8566dd52c2b09d033

  • SHA512

    131487a835f81a774b43155364a683b054b342c5176fe19264a4f9a510c6571532b1cb081011a09f733dee836192240cd36b419979832a601001b14ccbc5ff18

Malware Config

Extracted

Path

C:\Users\Public\Documents\RGNR_AC7AABB2.txt

Family

ragnarlocker

Ransom Note
***************************************************************************************************************** HELLO Birch.com,Cbeyond ! If you reading this message, then your network was PENETRATED and all of your files and data has been ENCRYPTED Although your security measures already been BREACHED and your files were LOCKED, we was able to make a PENETRATION of your network AGAIN! by RAGNAR_LOCKER ! ***************************************************************************************************************** Your systems are very far from perfectly secured, so even after the first penetration you didn't fix and close vulnerabilities and we again have access to your network, it would be a big amazement in the news that you allowed second leakage! !!!!! WARNING !!!!! DO NOT Modify, rename, copy or move any files or you can DAMAGE them and decryption will be impossible. DO NOT use any third party or public decryption software, it also may damage files. DO NOT Shutdown or reset your system ------------------------------------- There is ONLY ONE possible way to get back your files - contact us and pay for our special decryption key ! For your GUARANTEE we will decrypt 2 of your files FOR FREE, as a proof of our capabilities Don't waste your TIME, the link for contacting us will be deleted if there is no contact made in closest future and you will never restore your DATA. HOWEVER if you will contact us within 2 day since get penetrated - you can get a very SPECIAL PRICE. WARNING ! We has downloaded a lot of your private Data, including your biling info, business licenses, credit info, finance reports, business audit, Banking information and many other interesting things! Also we have an personal correspondence and information about your clients and partners and even about your staff, there are some screenshots just as a proofs. https://prnt.sc/sfle2v http://prnt.sc/sflk1s http://prnt.sc/sflkc8 http://prnt.sc/sflkn2 Whole data gathered from your SECRET files and directories could be published for everyone's view and your partners, clients and investors would be notified about leak. However if we make a deal everything would be kept in secret and all your data will be restored. You can find post already published regarding LEAKS from your company and it would be updated about the SECOND LEAK in less than one MONTH ! Use Tor Browser to open the link: http://p6o7m73ujalhgkiv.onion/2020/03/18/leaks-from-communicate-giant/ ============================================================================================================== ! HERE IS THE SIMPLE MANUAL HOW TO GET CONTACT WITH US VIA LIVE CHAT ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! a) Download and install TOR browser from this site : https://torproject.org b) For contact us via LIVE CHAT open our website : http://rgngerzxui2kizq6h5ekefneizmn54n4bcjjthyvdir22orayuya5zad.onion/client/?6C3B93D0480953d13302f18DD4a6C0C4e59cDae6D4f88Ed5c98cE8fCD0F9D6cE c) For visit our NEWS PORTAL with your data, open this website : http://p6o7m73ujalhgkiv.onion/2020/03/18/leaks-from-communicate-giant/ d) If Tor is restricted in your area, use VPN When you open LIVE CHAT website follow rules : Follow the instructions on the website. At the top you will find CHAT tab. Send your message there and wait for response (we are not online 24/7, So you have to wait for your turn). ?���| *********************************************************************************** ---RAGNAR SECRET--- NkMzQjkzRDA0ODA5NTNkMTMzMDJmMThERDRhNkMwQzRlNTljRGFlNkQ0Zjg4RWQ1Yzk4Y0U4ZkNEMEY5RDZjRQ== ---RAGNAR SECRET--- ***********************************************************************************
URLs

https://prnt.sc/sfle2v

http://prnt.sc/sflk1s

http://prnt.sc/sflkc8

http://prnt.sc/sflkn2

http://p6o7m73ujalhgkiv.onion/2020/03/18/leaks-from-communicate-giant/

http://rgngerzxui2kizq6h5ekefneizmn54n4bcjjthyvdir22orayuya5zad.onion/client/?6C3B93D0480953d13302f18DD4a6C0C4e59cDae6D4f88Ed5c98cE8fCD0F9D6cE

Targets

    • Target

      birch_ragnarlocker

    • Size

      49KB

    • MD5

      3dabfb99101821ae0e89389a9c9d28a5

    • SHA1

      72b19c503a642770945355ea0dce96bf9d735f81

    • SHA256

      1602d04000a8c7221ed0d97d79f3157303e209d4640d31b8566dd52c2b09d033

    • SHA512

      131487a835f81a774b43155364a683b054b342c5176fe19264a4f9a510c6571532b1cb081011a09f733dee836192240cd36b419979832a601001b14ccbc5ff18

    • RagnarLocker

      Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Drops startup file

    • Drops desktop.ini file(s)

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Modifies service

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Bootkit

1
T1067

Modify Existing Service

1
T1031

Defense Evasion

File Deletion

2
T1107

Modify Registry

1
T1112

Impact

Inhibit System Recovery

2
T1490

Tasks