Severity scale:  
  (97/100)

Remove RagnarLocker ransomware - Virus Files Removal - May 2020 update

removal by Julie Splinters - - | Type: Ransomware

RagnarLocker is a cryptovirus that targets enterprises and software companies and steals sensitive information

RagnarLocker ransomwareRagnarLocker ransomware is the threat that runs pre-deployment tasks and steals victims' files before encrypting data on the system, so private information can be uploaded publicly when the ransom is not paid. These attackers behind the threat are aiming to get as much money as possible, so once those files get encrypted, the ransom is demanded. The amount is asked in Bitcoin and can differ from 20 to 60BTC, hence huge companies as their targets.

Highly-targeted attacks use RSA-2048 encryption and change the original code of various files found on the network. Once that is done custom note gets developed which includes the name of the affected company and specific ransom amount set for the particular victim.

RagnarLocker ransomware virus developers generate the name of this text file according to the extension that is unique for each target and includes .rangnar and file marker. Ransomware terminates and disables various processes, especially security software and functions used for file backups. This particular locker targets remote management software used by managed service providers. Such applications provide remote support for people, so virus terminates any functions to avoid detection and termination of the attack.

The activity of this cryptovirus was first spotted in February when VGCARGO was targeted by the RagnarLocker virus.[1] However, malware developers seem to go for Big Game Hunting[2] tactics and continue their malicious deeds by attacking companies from various industry sectors, including EDP Renewables North America.[3]

Name RagnarLocker ransomware, Ragnar_Locker ransomware
Target Large businesses, enterprises, and software companies
File marker .ragnar_*** or .ragnar_<ID***. Every file extension is customized and includes particular Id generated for specific target
Encryption method Relies on RSA2048, but also uses the combined AES+RSA algorithm for encryption processes
Contact email hello_company@protonmail.com
Ransom note The note including contact information and further instructions contains the personalized message and gets named in the same pattern as the file marker RGNR_***.txt or RGNR_ .txt
Ransom amount Differs from 20 to 60 Bitcoin
Distribution Spam email campaigns include malicious files that trigger the drop of a ransomware executable that launches the encryption immediately. Legitimate looking emails state about financial data or notifications from known companies or services
Unique functions Attackers claim to steal data before encrypting files, so they can additionally blackmail people into paying the ransom. It is not known if that really happens, but such a feature becomes common for enterprise-targeting ransomware threats
Elimination You need to get a proper anti-malware tool for RagnarLocker ransomware removal, so all the related files and malicious applications can be deleted completely from the machine
Repair Malware like this can make big changes and damage crucial places of the OS, so you should repair these issues with the help of a proper system tool or cleaner like Reimage Reimage Cleaner Intego

There are no sources that completely confirm the relation between RagnarLocker ransomware and Ragnarok ransomware, but the name, tactics, and similarities are there. Both threats target companies, use similar patterns of extensions and ransom notes. The Locker may be a new and improved version of the first version that targeted Citrix and got discovered at the end of 2019.

RagnarLocker ransomware developers claim that they have some pre-deployment tasks that get executed before encrypting files found on the system. One of the processes involves stealing personal data and storing particular files on their servers, so when the victim is refusing to pay the demanded amount, all those details get released publicly, exposing valuable and sensitive data.

When criminals are ready, the main function of RagnarLocker ransomware is started – file encryption. In most cases, RSA-2048 is the method used for the file-locking. Before encrypting virus checks the location of the affected devices, so people from Russia, Azerbaijan, Armenia, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Tajikistan, Turkmenistan, Uzbekistan, and Ukraine can be excluded.

RagnarLocker ransomware also checks Windows services running on the machine, so processes with certain strings can be stopped. This is the common method used by threats like this because it is the method that helps to avoid virus detection and termination. These strings include:

  • vss
  • sql
  • memtas
  • mepocs
  • sophos
  • veeam
  • backup
  • pulseway
  • logme
  • logmein
  • connectwise
  • splashtop
  • kaseya.

These activities and additional features that malware has, affect the persistence and processes like RagnarLocker ransomware removal significantly. Also, since recovery options, software, and features get disabled, it becomes more difficult to recover after the attack. Unfortunately, the malware runs WMIC.exe shadowcopy delete command and removes Shadow Volume Copies that can be useful for file restoring.  RagnarLocker ransomware virusRagnarLocker ransomware - a virus that shows the personalized ransom note on the screen after the encryption process. Unfortunately, RagnarLocker ransomware is one of the most dangerous threats that can be found on the internet because these attacks involve money extortion.[4] Since money is the main goal of such threats, large targets are more attractive. There are no vulnerabilities in the coding and encryption methods, so this threat cannot be decrypted. 

You need a proper anti-malware tool that could detect and terminate the virus for you. When it comes to enterprises, professional security experts need to remove RagnarLocker ransomware completely off of the network since any connected device can get affected by the virus or even damaged. 

When the encryption is successfully done, RagnarLocker ransomware creates a unique ransom note and releases the personalized message for the people from the affected company. The message states about encryption, cryptocurrency addresses, contact information. Also, developers provide TOX chad ID that should help to communicate with them and the email address, but the first one is not working.

RagnarLocker virus ransom note:

Hello * !

********************

 If you reading this message, then your network was PENETRATED and all of your files and data has been ENCRYPTED
                             
                                              by RAGNAR_LOCKER !

********************

*********What happens with your system ?************

Your network was penetrated, all your files and backups was locked! So from now there is NO ONE CAN HELP YOU to get your files back, EXCEPT US.
You can google it, there is no CHANCES to decrypt data without our SECRET KEY.

But don't worry ! Your files are NOT DAMAGED or LOST, they are just MODIFIED. You can get it BACK as soon as you PAY.
We are looking only for MONEY, so there is no interest for us to steel or delete your information, it's just a BUSINESS $-)

HOWEVER you can damage your DATA by yourself if you try to DECRYPT by any other software, without OUR SPECIFIC ENCRYPTION KEY !!!

Also, all of your sensitive and private information were gathered and if you decide NOT to pay,
we will upload it for public view !

****

***********How to get back your files ?******

To decrypt all your files and data you have to pay for the encryption KEY :

BTC wallet for payment: *
Amount to pay (in Bitcoin): 25

****

***********How much time you have to pay?**********

* You should get in contact with us within 2 days after you noticed the encryption to get a better price.

* The price would be increased by 100% (double price) after 14 Days if there is no contact made.
 
* The key would be completely erased in 21 day if there is no contact made or no deal made.
Some sensetive information stolen from the file servers would be uploaded in public or to re-seller.

****

***********What if files can't be restored ?******

To prove that we really can decrypt your data, we will decrypt one of your locked files !
Just send it to us and you will get it back FOR FREE.

The price for the decryptor is based on the network size, number of employees, annual revenue.
Please feel free to contact us for amount of BTC that should be paid.

****

! IF you don't know how to get bitcoins, we will give you advise how to exchange the money.

!!!!!!!!!!!!!
! HERE IS THE SIMPLE MANUAL HOW TO GET CONTCAT WITH US !
!!!!!!!!!!!!!

1) Go to the official website of TOX messenger ( hxxps://tox.chat/download.html )

2) Download and install qTOX on your PC, choose the platform ( Windows, OS X, Linux, etc. )

3) Open messenger, click “New Profile” and create profile.

4) Click “Add friends” button and search our contact *

5) For identification, send to our support data from —RAGNAR SECRET—

IMPORTANT ! IF for some reasons you CAN'T CONTACT us in qTOX, here is our reserve mailbox ( * ) send a message with a data from —RAGNAR SECRET—

WARNING!

-Do not try to decrypt files with any third-party software (it will be damaged permanently)
-Do not reinstall your OS, this can lead to complete data loss and files cannot be decrypted. NEVER!
-Your SECRET KEY for decryption is on our server, but it will not be stored forever. DO NOT WASTE TIME !

********************

—RAGNAR SECRET—
*
—RAGNAR SECRET—

********************

Paying the ransom is never the best answer, experts[5] always note that there is no need to even consider paying the amount that RagnarLocker ransomware or any other cryptovirus creators ask of you. You can get additional malware sent to you via the email or asked to pay more after one transfer.

Even though RagnarLocker ransomware mainly targets large companies and is focused on English-speaking people it can freely get on everyday user devices in any country all over the world, so you should be extremely cautious and pay attention to all the listed features and tips that we gathered.

The middle of April 2020 could be called a new step in Ragnar Locker creators career as they were spotted to invade a giant company of Portugal – Energias de Portugal. The Portuguese electric utility company which is located in Lisbon is a very important electricity and gas supplier in the region. The criminals were not ashamed to ask for a 10 million Euro ransom to give up the encrypted Tb's of the companies data. 

In case you have noticed some suspicious activity on your computer, do not wait for the ransom notes to come. Rely on the anti-malware tool and scan the machine to make sure there are no viruses interrupting your PC. If needed, get a PC repair program like Reimage Reimage Cleaner Intego and get rid of the virus damage.

RagnarLocker cryptovirusRagnarLocker ransomware is the cryptovirus that configures a particular extension for encoded data that includes .ragnar and unique code. After this, the same pattern with victims' ID is used to name the ransom note file.

Stay away from emails with attached files

Email campaigns spread a handful of different threats and can lead to various malware infections when you don't pay enough attention to the content and sources of the notifications. In most cases, those emails may seem legitimate and safe when the sender is a particular service or company that you know and trust. Don't fall for such tricks. 

Pay attention to the particular sender and the type of files attached. Financial information, order details, receipts, and other sensitive data shouldn't end up on your email box when you don't use the service. So keep suspicions and avoid opening emails that are not expected.

Malicious macros can get loaded on these MS files and similar data that gets attached to safe-looking emails. Once the file is downloaded and opened on the machine, the suggestion to enable additional content shows up on the screen. After that, the malicious script gets loaded on the computer, and encryption starts. Delete emails without clicking on any links or attachments.

You need a clean system before you can do anything related to RagnarLocker virus encrypted files

You need to note that RagnarLocker ransomware virus is not only affecting large companies but also can get on devices of users all over the globe without any effort. This is more dangerous because of the advanced methods and techniques used by the threat actors. 

The most important thing is the fact that malware gets persistent due to all the additional changes in system folders, settings and added programs, entries on the registry, and so on. For that reason, you not only need to remove RagnarLocker ransomware, but you should also repair those issues and get rid of the virus damage.

Get SpyHunter 5Combo Cleaner, or Malwarebytes for the proper RagnarLocker ransomware removal and then run Reimage Reimage Cleaner Intego as a PC repair application and clean any traces or fix affected parts of the malware. Make sure to pay attention to the AV tool delivered results and detection rates, follow the suggested steps and clean possible intruders. You need to get back to a properly cleaned machine before you even consider file restoring.

Offer
do it now!
Download
Reimage Happiness
Guarantee
Download
Intego Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove RagnarLocker virus, follow these steps:

Remove RagnarLocker using Safe Mode with Networking

Reboot the system in Safe Mode with Networking and then run the AV tool that can remove RagnarLocker ransomware virus from the machine for you

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove RagnarLocker

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete RagnarLocker removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove RagnarLocker using System Restore

System Restore feature can be used to get rid of the RagnarLocker ransomware because this function allows recovering the machine in a previous state

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of RagnarLocker. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner Intego and make sure that RagnarLocker removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove RagnarLocker from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by RagnarLocker, you can use several methods to restore them:

Data Recovery Pro is the program that gives the opportunity to recover your files after the encryption process of RagnarLocker ransomware virus

You can restore affected files with the help of this program. Encrypted, deleted or damaged data can be used again after the Data Recovery Pro restoring

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by RagnarLocker ransomware;
  • Restore them.

Windows Previous Versions feature helps with files encoded by the RagnarLocker virus

You can use Windows Previous Versions for your individual files when System Restore gets enabled in advance

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer – a method for file recovery

When RagnarLocker ransomware locks data but leaves Shadow Volume Copies untouched, you can go through restoring them using SdadowExplorer

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

RagnarLocker ransomware is not decryptable at the moment

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from RagnarLocker and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. It is a hassle when your website is protected from suspicious connections and unauthorized IP addresses.

The best solution for creating a tighter network could be a dedicated/fixed IP address. If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for server or network manager that need to monitor connections and activities. This is how you bypass some of the authentications factors and can remotely use your banking accounts without triggering suspicious with each login. 

VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world. It is better to clock the access to your website from different IP addresses. So you can keep the project safe and secure when you have the dedicated IP address VPN and protected access to the content management system.

Recover files after data-affecting malware attacks

While much of the data can be accidentally deleted due to various circumstances, malware is also one of the main culprits that can cause loss of pictures, documents, videos, and other important files. Potentially unwanted programs may clear files that keep the application from running smoothly.

More serious malware infections lead to significant data loss when your documents, system files, or images get locked. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them. Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system.

In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection. 

 

About the author

Julie Splinters
Julie Splinters - Malware removal specialist

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Julie Splinters
About the company Esolutions

References