Derin Analiz - Ragnar Locker Ransomware | Tehdit: KRITIK

Dosya Kimligi

SHA256041fd213326dd5c10a16caf88ff076bb98c68c052284430fba5f601023d39a14
Boyut817,764 byte (PE32 GUI x86, 6 sections)
Entropi7.973 (packed -- gizlenilmis)

---RAGNAR SECRET---: Kimlik Onay

RAGNAR LOCKER: Binary icinde "---RAGNAR SECRET---" string ile tescilli Ragnar Locker ransomware tespiti!
---RAGNAR SECRET---\n\n-- Ragnar Locker: 2019-2023 aktif ransomware grubu (Europol kapatmasi 2023)\n-- PE32 GUI x86: ana sifreleme motoru\n-- Entropi 7.97: tum payload sifrelenmis/paketlenmis\n-- Hedef: kurumsal aglar, kritik altyapi, 12+ ulke

Dosya Sifreleme Kapasitesi

CryptAcquireContextW\nCryptEncrypt\nCryptDestroyKey\nCryptGenRandom\nCryptReleaseContext\nGetDriveTypeW\nFindFirstFileW\nFindNextFileW\nSetFileAttributesW\nCopyFileW\n\n-- CryptAcquireContextW: Windows Crypto API ile sifreleme baslat\n-- CryptEncrypt: dosyalari sifreleme islevleri\n-- GetDriveTypeW: network, removable, fixed suruculeri tara\n-- FindFirstFileW / FindNextFileW: tum dosyalari listele ve sifrele\n-- SetFileAttributesW: sifrelenen dosyalari gizle / ozellik degistir

Token Manipulasyonu (Privilege Escalation)

OpenProcessToken\nSetTokenInformation\nDuplicateTokenEx\n\n-- OpenProcessToken: mevcut prosesin token bilgisine eris\n-- DuplicateTokenEx: token kopyala (impersonation)\n-- SetTokenInformation: token ayarlarini degistir\n-- Amac: SYSTEM yetkisi ile tum dosyalara eris ve sifrele

IOC

SHA256041fd213326dd5c10a16caf88ff076bb98c68c052284430fba5f601023d39a14
Imza---RAGNAR SECRET--- (ic binary string)
SifrelemeCryptAcquireContextW + CryptEncrypt
PrivilegeOpenProcessToken + DuplicateTokenEx
Drive enumGetDriveTypeW + FindFirstFileW/FindNextFileW

RagnarLocker — Malware Profile

Ragnar Locker is a ransomware group active 2019-2023, dismantled by Europol. PE32 GUI x86 binary with RAGNAR SECRET string confirmed. CryptAcquireContextW+CryptEncrypt for file encryption. GetDriveTypeW+FindFirstFileW/FindNextFileW for drive and file enumeration. OpenProcessToken+DuplicateTokenEx for privilege escalation to SYSTEM. Targets corporate networks across 12+ countries.

Malware Type
Ransomware
Programming Language
C
C2 Protocol
Target Systems
Windows

Capabilities & Behavior

Dosya Şifreleme (AES/RSA)
Gölge Kopya Silme
Yedek Kaldırma
Fidye Notu Oluşturma
Kalıcılık Sağlama
Ağ Paylaşımı Şifreleme
Anti-Analiz Teknikleri
Çift Gasp (Data Leak)

IOC List (1 indicators)

IOC — RagnarLocker
# SHA256 041fd213326dd5c10a16caf88ff076bb98c68c052284430fba5f601023d39a14
TypeValueNote
sha256 041fd213326dd5c10a16caf88ff076bb98c68c052284430fba5f601023d39a14
Tags
ragnar-locker-ransomwareragnar-secret-string-confirmedcryptacquirecontextw-cryptencrypt-windows-crypto-apigetdrivetypew-findnextfilew-drive-file-enumerationopenprocesstoken-duplicatetokenex-privilege-escalationsetfileinformationw-file-attribute-manipulationentropy-797-packed-payloadpe32-gui-x86-818kb