Skip to main content
Download the Buyer’s Guide for Cyber Risk Quantification Solutions
Download Guide
Request a Demo

FBI FLASH on RagnarLocker Ransomware Expands Known Indicators of Compromise

The Federal Bureau of Investigation has recently released an updated FLASH Number CU-000163-MW as part of the overall Government efforts to identify and document ransomware threat actors and the multitude of ransomware variants they deploy. RagnarLocker first surfaced in April 2020 and continues to impact a wide variety of critical infrastructure sectors. These sectors include but are not limited to manufacturing, energy, financial services, government, and information technology.

RagnarLocker is the name for ransomware and a ransomware gang. The threat actor has been noted by the FBI to have impacted at least 52 different organizations. RagnarLocker constantly rotates a multitude of techniques to avoid detection and prevention. RagnarLocker also works to deter organizations from reaching out to law enforcement after a breach. Let’s take a look at its tactics and techniques. 

RagnarLocker has been visible in many high-profile cyberattacks. In late 2021, Capcom, a large video gaming company, was impacted by RagnarLocker. Capcom found the breach on November 2, 2021, and confirmed that an unauthorized third party compromised personal and corporate data. This included employee data, shareholder data, store members, and more. Capcom is known for several major games, including Street Fighter, Resident Evil, and others. It appeared that the RagnarLocker attack affected email, file servers and resulted in the encryption of approximately 1 terabyte of data. 

Anatomy of the Attack 

  • RagnarLocker is generally identified by the extension “.RGNR_<ID>,” where <ID> is a hash of the computer’s NETBIOS name. The threat actors identify themselves as “RAGNAR_LOCKER,” leave a .txt ransom note. 
  • RagnarLocker then uses Windows API GetLocaleInfoW to identify the location of the infected machine. 
  • RagnarLocker identifies all attached hard drives using Windows APIs. These volumes are later encrypted during the final stage of the binary.  
  • RagnarLocker iterates through all running services and terminates those services which are most commonly used by Managed Service Providers
  • In a last action to support the extortion, RagnarLocker encrypts all available files of interest. 

Readers can protect themselves and their organizations by using these top five recommended mitigations:

  1. Back-up critical data offline and ensure copies of critical data are in the cloud or on an external hard drive or storage device. Secure your backups and ensure data is not accessible for modification or deletion from the system where the data resides.   
  2. Use multifactor authentication with strong passwords, including remote access services.  
  3. Keep computers, devices, and applications patched and up-to-date.   
  4. Audit user accounts with administrative privileges and configure access controls with the least privilege in mind.  
  5. Capture any intelligence you find, including indicators and contextual information. This helps organize and keep track of the information identified so far, eliminates redundant research efforts, and better integrates activity to maximize insight and improve collaboration. Your team can quickly relay findings to others in the most efficient way, and improve your defensive capabilities in many areas.

Here is How ThreatConnect Can Help Defend Against Ransomware

The ThreatConnect Platform can help your team identify and defeat threats like RagnarLocker. Being able to leverage intelligence rapidly and make it actionable helps defenders minimize the gap between threat actor activity and their defensive posture. As your defenders identify, investigate, and memorialize intelligence in the ThreatConnect Platform, this new knowledge can be applied to enhance detection, prevention, and mitigation across your organization’s entire cybersecurity ecosystem. 

ThreatConnect can also share information on the responsible threat groups if attribution occurs. This attribution and disambiguation is important because it maximizes the available information that might be the difference between a successful, versus a failed, ransomware attack. 

The ThreatConnect Platform Helps Threat Intelligence Analysts Outperform

The ThreatConnect Platform helps reduce risk and more rapidly leverage insights from intelligence sources. By encouraging information-sharing across your security teams, you’ll establish a feedback loop that allows for increased threat intelligence insight and reduced risk to your organization.

To learn more about RagnarLocker, and see the complete and detailed data on the IOCs please refer to the original FBI Alert here

Interested in learning more about how ThreatConnect can help? Please enter your information or contact us at one of the numbers here in our contact form.

About the Author


By operationalizing threat and cyber risk intelligence, The ThreatConnect Platform changes the security operations battlefield, giving your team the advantage over the attackers. It enables you to maximize the efficacy and value of your threat intelligence and human knowledge, leveraging the native machine intelligence in the ThreatConnect Platform. Your team will maximize their impact, efficiency, and collaboration to become a proactive force in protecting the enterprise. Learn more at