VERY IMPORTANT

This pulse is a collection of Ragnar Locker Ransomware samples (includes some ransom notes available publicly). The FBI released MU-000140-MW in response to recent Ragnar campaigns. "The FBI first observed Ragnar Locker1 ransomware in April 2020, when unknown actors used it to encrypt a large corporation’s files for an approximately $11 million ransom and threatened to release 10 TB of sensitive company data. Since then, Ragnar Locker has been deployed against an increasing list of victims, including cloud service providers, communication, construction, travel, and enterprise software companies. The FBI is providing details of Ragnar Locker ransomware to assist with understanding the code and identifying the activity. Ragnar Locker actors first obtain access to a victim’s network and perform reconnaissance to locate network resources, backups, or other sensitive files for data exfiltration. In the final stage of the attack, actors manually deploy the ransomware, encrypting the victim’s data."