Home > List all groups > List all tools > List all groups using tool RagnarLocker

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: RagnarLocker

TypeRansomware, Big Game Hunting
Description(McAfee) The RagnarLocker ransomware first appeared in the wild at the end of December 2019 as part of a campaign against compromised networks targeted by its operators.
The ransomware code is small (only 48kb after the protection in its custom packer is removed) and coded in a high programming language (C/C++). Like all ransomware, the goal of this malware is to encrypt all files that it can and request a ransom for decrypting them.
RagnarLocker’s operators, as we have seen with other bad actors recently, threaten to publish the information they get from compromised machines if ransoms are not paid.
After conducting reconnaissance, the ransomware operators enter the victim’s network and, in some pre-deployment stages, steal information before finally dropping the ransomware that will encrypt all files in the victim’s machines.
The most notable RagnarLocker attack to date saw this malware deployed in a large company where the malware operators then requested a ransom of close to $11 million USD in return for not leaking information stolen from the company. In this report we will talk about the sample used in this attack.
AlienVault OTX<>

Last change to this tool card: 23 April 2021

Download this tool card in JSON format

All groups using tool RagnarLocker


APT groups

 Viking Spider[Unknown]2019-Jun 2021 

2 groups listed (2 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
PGP Download PGP key