RagnarLocker
RagnarLocker is a ransomware hacker group which uses virtual machine escape techniques to encrypt victim's system files. It first surfaced in December 2019.
History
First appearing at the end of 2019, it carried out its first major attack on the Portuguese electric company Energias de Portugal, where it demanded a ransom of 10.9 million dollars and threatened to leak 10 terabytes of data.During 2022, it also attacked video game company Capcom, and the beverage company Campari.
Function
Ragnar Locker operates by using an eponymously named malware called RagnarLocker. First, the dropper checks the operating system. If it's set to a language used in the former Soviet Union, it stops. Otherwise, it starts by sending a copy of system files to its central server and then downloads a package containing a version of VirtualBox configured to display the host computer and an image of Windows XP that contains the malware, which itself is only about 49 kB in size.The dropper, after disabling security-related services or services that could keep logs active, launches the virtual machine and the ransomware via a batch script. The ransomware begins encrypting files on the host computer without raising suspicion, since the commands appear to come from VirtualBox rather than the ransomware itself.
At the end of the process, a personalized ransom note is left behind on the victim's computer.
Arrests
Between the days of October 16 and 20, 2023, Europol and Eurojust conducted a series of seizures and arrests in Czechia, Spain and Latvia in response to RagnarLockers criminal activity. On October 20, an alleged main suspect and developer, had been brought in front of examining magistrates of the Paris Judicial Court.The ransomware's infrastructure was also seized in the Netherlands, Germany and Sweden and the associated data leak website on Tor was taken down in Sweden.