After reading this article about the Ragnar Locker ransomware running in a Windows XP VM to prevent it from being detected. I thought why not just analyze it to see what it does compare to other ransomware families. This blog post will further explain the ransomware using the programs Ghidra and x64dbg.

Analysis

Using the function GetLocalInfoW the ransomware checks if the language on the computers is one of the following languages. And if true the process terminates itself.

Azerbaijani, Armenian, Belorussian, Kazakh, Kyrgyz, Moldavian, Tajik, Russian, Turkmen, Uzbek, Ukrainian, Georgian

image-20200529171413730

To make sure that there is only one process running it creates an event with the use of CreateEventW. If the event already exists the function GetLastError will return 0xb7 (ERROR_ALREADY_EXISTS), and after looping 32768 times the process will terminate itself. But if the event is created successfully the function GetLastError returns 0 (ERROR_SUCCESS) and ransomware continues running. It does this to ensure that only one copy of the ransomware is running at a time.

image-20200529222814164

To ensure that large amounts of data can be encrypted. The ransomware checks whether the following services are running and if running it stops the services. This is also stated on the malware wiki.

vss,sql,memtas,mepocs,sophos,veeam,backup,pulseway,logme,logmein,connectwise,splashtop,kaseya

image-20200531232343276

After that, the function at memory address 00402150 renamed to decrypt_string is called to decrypt an RSA public key and a ransomware note in memory.

image-20200531190214847

Public key

 -----BEGIN PUBLIC KEY-----\n
 MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3rt9EPkNBSGeoCGzU50f\nOaEgC3EdDSXvMT26aRlzsUcng/EZUlTKwYDYwHXdIuWvshUymKexyi/BLR1fGs5Y\n044BnrBqFPSgrjwarZw37wLTYqAKGR/5pTKxjwVuJ4ArC2A1XbYOlmhv2pbnVq4l\nq0juc6W2MNoK31Bfds3/lrLAqlu3KMMg43PCvI2IMooguRRm7NEvqSeuu5ZmuC/A\nv2/aNxSQoXfr2yS6JoZP7EFx/I00bkWWrHr4qhHppJrRVcJH8jGh9DDSuz7XzoW7\ntLAPQZKR8V29x5z0Yscgm64Bd60uj3Fp9N7xqRDWZUKZQ+om9yTRhpsi8gORGrVp\nMQIDAQAB\n
 -----END PUBLIC KEY-----\n

Ransomware note

image-20200531190802429

To use CryptoAPI function of Windows the function CryptAcquireContextW is called. The encryption method used is RSA public key alogrithm, because the dwProvType parameter is 0x1 which stands for Cryptographic Provider Type PROV_RSA_FULL.

image-20200531194111538

The public key gets imported with the use of CryptImportPublicKeyInfo.

image-20200531234017475

The imported public key is then used to encrypt 2 data blocks. The function at address 00401910 renamed to encrypt_block calls CryptEncrypt to encrypt the 4th parameter encrypted_block_1 and encrypted_block_2.

image-20200531235759021

Before encrypting files the ransomware writes the ransomware note to the path C:\Users\Public\Documents\RGNR_04BFF775.txt. And then adds a generated_secret to file. I didn’t further analyzed the way the generated_secret is created. I think this is for the malware authors to identify the malware sample used in a ransomware attack, but I don’t know for sure.

image-20200531200232105

image-20200531200311609

Encryption

The encryption method skips the following folders, files and extensions. This is also stated on the malware wiki.

kernel32.dll, Windows, Windows.old, Tor browser, Internet Explorer, Google, Opera, Opera Software, Mozilla, Mozilla Firefox, $Recycle.Bin, ProgramData, All Users, autorun.inf, boot.ini, bootfont.bin, bootsect.bak, bootmgr, bootmgr.efi, bootmgfw.efi, desktop.ini, iconcache.db, ntldr, ntuser.dat, ntuser.dat.log
, ntuser.ini, thumbs.db, .sys, .dll, .lnk, .msi, .drv, .exe

To open a file the function CreateFileW is called. The fifth parameter dwCreationDisposition = 3 which stands for OPEN_EXISTING.

image-20200601203144499

Then the function ReadFile is called to read a number of bytes of the file, that gets written to buffer. The number of bytes is not the same for every file. This buffer is then encrypted by the function at address 00402380 renamed to encrypt_buffer. And then the encrypted buffer is written back to the file. I did not go further analyzing the encrypt buffer function, but it uses the encryption handle created at the beginning of the code using Crypto API functions of Windows.

image-20200601211421004

Buffer before encryption - the buffer contains the local file “C:\Program Files\die_win32_portable\base\db\Binary\bzip.1.sg” (not associated with the malware)

image-20200601204806960

Buffer after encryption

image-20200601205054698

After written the encrypted buffer to the file, 2 encrypted blocks and the string _RAGNAR_ are added to the end of the file.

image-20200601210824215

At the end, the ransomware opens the ransomware note with Notepad.

image-20200531203519707

image-20200529212911106

IOC

SHA256 - EC35C76AD2C8192F09C02ECA1F263B406163470CA8438D054DB7ADCF5BFC0597

References

https://www.bleepingcomputer.com/news/security/ransomware-encrypts-from-virtual-machines-to-evade-antivirus/

https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/

https://malware.wikia.org/wiki/Ragnar_Locker