Threat Signal Report

FBI Releases Updated Indicators of Compromise for RagnarLocker Ransomware

description-logo Description

FortiGuard Labs is aware that the U.S. Federal Bureau of Investigation (FBI) released the updated indicators of compromise (IOCs) for RagnarLocker (Ragnar_Locker) Ransomware on March 8th, 2022. The report states "As of January 2022, the FBI has identified at least 52 entities across 10 critical infrastructure sectors affected by RagnarLocker ransomware, including entities in the critical manufacturing, energy, financial services, government, and information technology sectors."

The first sighting of the ransomware goes back to at least February, 2020. RagnarLocker ransomware employs triple extortion tactics: it demands ransom after encrypting files, threatens to publicize stolen data and to stop DDoS (Distributed Denial of Service) attack against the victim.

Why is this Significant?

This is significant because the FBI is aware that more than 50 organizations across 10 critical infrastructure sectors were affected by RagnarLocker ransomware. The fact the FBI has made additional IOCs available to the public insinuates that RagnarLocker will continue to be active and will likely produce more victims.

What is RagnarLocker Ransomware?

The first report of RagnarLocker (Ragnar_Locker) ransomware dates back to as early as February 2020.

Just like any other ransomware, RagnarLocker encrypts files on the compromised machine and steals valuable data. It also deletes all Volume Shadow Copies, which prevents recovery of the encrypted files. Although there are some exceptions, files encrypted by RagnarLocker ransomware generally have a file extension that starts with .ragnar_ or ragn@r_ followed by random characters.

On top of usual ransom demand to decrypt the files it encrypted, the ransomware threatens to publicize the data it stole from the victim if the ransom demand is not met. The RagnarLocker threat actors also adds pressure to the victim to pay the ransom by performing DDoS (Distributed Denial of Service) attack against the victim.

One notable thing about this ransomware is that it has code to check the location of the computer before encryption process starts. If the computer belongs Russia, Azerbaijan, Armenia, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Tajikistan, Turkmenistan, Uzbekistan and Ukraine, the ransomware terminates itself.

What are the Mitigations for RagnarLocker Ransomware?

The following are the mitigations recommended by FBI:

  • Back-up critical data offline.
  • Ensure copies of critical data are in the cloud or on an external hard drive or storage device. This information should not be accessible from the compromised network.
  • Secure your back-ups and ensure data is not accessible for modification or deletion from the system where the data resides.
  • Use multi-factor authentication with strong passwords, including for remote access services.
  • Keep computers, devices, and applications patched and up-to-date.
  • Monitor cyber threat reporting regarding the publication of compromised VPN login credentials and change passwords and settings.
  • Consider adding an email banner to emails received from outside your organization.
  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
  • Implement network segmentation.

What is the Status of Coverage?

FortiGuard Labs provide the following AV coverage against RagnarLocker ransomware:













All network IOCs are blocked by the WebFiltering client.


Traffic Light Protocol

Color When Should it Be used? How may it be shared?


Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.


Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.


Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.


Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.