{"description": "Enterprise techniques used by Ragnar Locker, ATT&CK software S0481 (v1.2)", "name": "Ragnar Locker (S0481)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Ragnar Locker](https://attack.mitre.org/software/S0481) has used cmd.exe and batch scripts to execute commands.(Citation: Sophos Ragnar May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[Ragnar Locker](https://attack.mitre.org/software/S0481) has used sc.exe to create a new service for the VirtualBox driver.(Citation: Sophos Ragnar May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1486", "comment": "[Ragnar Locker](https://attack.mitre.org/software/S0481) encrypts files on the local machine and mapped drives prior to displaying a note demanding a ransom.(Citation: Sophos Ragnar May 2020)(Citation: Cynet Ragnar Apr 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.006", "comment": "[Ragnar Locker](https://attack.mitre.org/software/S0481) has used VirtualBox and a stripped Windows XP virtual machine to run itself. The use of a shared folder specified in the configuration enables [Ragnar Locker](https://attack.mitre.org/software/S0481) to encrypt files on the host operating system, including files on any mapped drives.(Citation: Sophos Ragnar May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "[Ragnar Locker](https://attack.mitre.org/software/S0481) has attempted to terminate/stop processes and services associated with endpoint security products.(Citation: Sophos Ragnar May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1490", "comment": "[Ragnar Locker](https://attack.mitre.org/software/S0481) can delete volume shadow copies using vssadmin delete shadows /all /quiet.(Citation: Sophos Ragnar May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1120", "comment": "[Ragnar Locker](https://attack.mitre.org/software/S0481) may attempt to connect to removable drives and mapped network drives.(Citation: Sophos Ragnar May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1489", "comment": "[Ragnar Locker](https://attack.mitre.org/software/S0481) has attempted to stop services associated with business applications and databases to release the lock on files used by these applications so they may be encrypted.(Citation: Sophos Ragnar May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.007", "comment": "[Ragnar Locker](https://attack.mitre.org/software/S0481) has been delivered as an unsigned MSI package that was executed with msiexec.exe.(Citation: Sophos Ragnar May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.010", "comment": "[Ragnar Locker](https://attack.mitre.org/software/S0481) has used regsvr32.exe to execute components of VirtualBox.(Citation: Sophos Ragnar May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[Ragnar Locker](https://attack.mitre.org/software/S0481) has used rundll32.exe to execute components of VirtualBox.(Citation: Sophos Ragnar May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1614", "comment": "Before executing malicious code, [Ragnar Locker](https://attack.mitre.org/software/S0481) checks the Windows API GetLocaleInfoW and doesn't encrypt files if it finds a former Soviet country.(Citation: FBI Ragnar Locker 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1569", "showSubtechniques": true}, {"techniqueID": "T1569.002", "comment": "[Ragnar Locker](https://attack.mitre.org/software/S0481) has used sc.exe to execute a service that it creates.(Citation: Sophos Ragnar May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Ragnar Locker", "color": "#66b1ff"}]}