![]() ![]() ![]() After this, the Ransomware decrypts the RSA public key, encrypting the randomly generated key, as shown in Figure 9. ![]() The Ransomware then proceeds to execute CreateProcessW() API to call wmi/vssadmin to delete any shadow copies in the system. If OpenSCManagerA() API fails to get the handle to Service Control Manager (SCM), then the Ransomware skips calling the above service-related APIs. ControlService() – takes control of the service for stopping.EnumDependentServiceA() – Retrieves the dependent services.QueryServiceStatusEx() – Gets the status of the service.OpenServiceA() – Opens the specified service.Upon gaining access to this database, the following APIs() will be called: To identify the services running in the machine, the Ransomware first calls OpenSCManagerA() API, which establishes a connection to the service control manager that gives the TA access to the service control manager database. Some of these services include VSS, SQL, Memtas, etc. After identifying the names of the services, the Ransomware checks for their presence and terminates them if the services are actively running on the victim’s machine. Then, the malware uses a custom decryption logic which decrypts the strings that have information about the name of the services. The malware uses cryptographic APIs such as CryptAcquireContextW(), CryptGenRandom() and CryptReleaseContext() to generate random keys. The malware now prepares the key required to encrypt the files in the latter part of its execution. This group targets several countries worldwide, as shown in the figure below. Ragnar_locker also uses the double extortion technique for financial gain like most notorious ransomware gangs. Ragnar_locker ransomware was first observed in late 2019, targeting multiple high-profile targets on Windows platforms. This blog is a deep dive into one of the most active Ransomware groups, Ragnar_Locker, how they operate, their capabilities, and how to secure yourself/your organization from them. As the organizations’ primary danger remains losing access to their systems and data, the threat of Ransomware groups leaking the data if their ransom requests are not met or the victim reaches out to law enforcement authorities has been raising more concern.Ĭyble Research Labs has analyzed and published information about the most prominent and active ransomware groups in the past and provided recommendations to prevent such incidents. Organizations worldwide face a multi-pronged threat from Ransomware groups at a greater frequency than recorded before. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |