SOFTWARE

Android/AdDisplay.Ashas

Android/Chuli.A

AndroidOS/MalLocker.B

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

Caterpillar WebShell

CSPY Downloader

Desert Scorpion

ECCENTRICBANDWAGON

Exaramel for Linux

Exaramel for Windows

Hacking Team UEFI Rootkit

Imminent Monitor

IronNetInjector

Olympic Destroyer

OSX_OCEANLOTUS.D

P.A.S. Webshell

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

RemoteUtilities

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

SOFTWARE

1-9

A-B

Android/AdDisplay.Ashas

Android/Chuli.A

AndroidOS/MalLocker.B

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

C-D

Caterpillar WebShell

CSPY Downloader

Desert Scorpion

E-F

ECCENTRICBANDWAGON

Exaramel for Linux

Exaramel for Windows

G-H

Hacking Team UEFI Rootkit

I-J

Imminent Monitor

IronNetInjector

K-L

M-N

O-P

Olympic Destroyer

OSX_OCEANLOTUS.D

P.A.S. Webshell

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

Q-R

RemoteUtilities

S-T

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

U-V

W-X

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

Y-Z

Ragnar Locker

Ragnar Locker is a ransomware that has been in use since at least December 2019.^[1]^[2]

ID: S0481

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 29 June 2020

Last Modified: 13 April 2021

Techniques Used

Domain	ID		Name	Use
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	Ragnar Locker has used cmd.exe and batch scripts to execute commands.^[1]
Enterprise	T1543	.003	Create or Modify System Process: Windows Service	Ragnar Locker has used sc.exe to create a new service for the VirtualBox driver.^[1]
Enterprise	T1486		Data Encrypted for Impact	Ragnar Locker encrypts files on the local machine and mapped drives prior to displaying a note demanding a ransom.^[1]^[2]
Enterprise	T1564	.006	Hide Artifacts: Run Virtual Instance	Ragnar Locker has used VirtualBox and a stripped Windows XP virtual machine to run itself. The use of a shared folder specified in the configuration enables Ragnar Locker to encrypt files on the host operating system, including files on any mapped drives.^[1]
Enterprise	T1562	.001	Impair Defenses: Disable or Modify Tools	Ragnar Locker has attempted to terminate/stop processes and services associated with endpoint security products.^[1]
Enterprise	T1490		Inhibit System Recovery	Ragnar Locker can delete volume shadow copies using `vssadmin delete shadows /all /quiet`.^[1]
Enterprise	T1120		Peripheral Device Discovery	Ragnar Locker may attempt to connect to removable drives and mapped network drives.^[1]
Enterprise	T1489		Service Stop	Ragnar Locker has attempted to stop services associated with business applications and databases to release the lock on files used by these applications so they may be encrypted.^[1]
Enterprise	T1218	.007	Signed Binary Proxy Execution: Msiexec	Ragnar Locker has been delivered as an unsigned MSI package that was executed with `msiexec.exe`.^[1]
		.010	Signed Binary Proxy Execution: Regsvr32	Ragnar Locker has used regsvr32.exe to execute components of VirtualBox.^[1]
		.011	Signed Binary Proxy Execution: Rundll32	Ragnar Locker has used rundll32.exe to execute components of VirtualBox.^[1]
Enterprise	T1614		System Location Discovery	Before executing malicious code, Ragnar Locker checks the Windows API `GetLocaleInfoW` and doesn't encrypt files if it finds a former Soviet country.^[3]
Enterprise	T1569	.002	System Services: Service Execution	Ragnar Locker has used sc.exe to execute a service that it creates.^[1]

References

FBI. (2020, November 19). Indicators of Compromise Associated with Ragnar Locker Ransomware. Retrieved April 1, 2021.