Ragnar Loader Used by Multiple Ransomware Groups to Bypass Detection

Ragnar Loader, a sophisticated toolkit associated with the Ragnar Locker ransomware group, has been instrumental in facilitating targeted cyberattacks on organizations since its emergence in 2020.

This malware is part of the Monstrous Mantis ransomware ecosystem and is designed to maintain persistent access to compromised systems, enabling sustained malicious operations.

Ragnar Loader employs advanced tactics such as multi-layered obfuscation, dynamic decryption routines, and sophisticated persistence mechanisms to evade detection and maintain operational resilience.

The Ragnar Loader toolkit includes several critical components, such as PowerShell scripts for remote desktop functionality, a pivoting script for lateral movement within networks, and a remote code execution script.

According to Catalyst Report, these scripts are deliberately obfuscated to facilitate the loading of binary files and the execution of process injection techniques within target systems.

For instance, the RunScheduledTask.ps1 script uses WMI filters to achieve fileless persistence, creating filters that run at specific intervals to maintain the malware’s presence on compromised systems.

Technical Analysis and Evasion Techniques

Ragnar Loader’s technical prowess lies in its ability to leverage strong encryption and encoding methods, including RC4 and Base64, to conceal its operations.

It employs sophisticated process injection strategies to establish stealthy control over compromised systems.

The malware utilizes a .NET loader that decrypts byte arrays by first decompressing them and then applying RC4 decryption.

The execution is handed over to shellcode, which exhibits self-modifying behavior and integrates anti-analysis techniques to hinder detection and analysis.

The shellcode dynamically decrypts strings during runtime and intentionally flattens the control flow of critical functions to obscure logic.

Despite these measures, tools like FLOSS and D810 can effectively bypass these obfuscations, allowing analysts to deobfuscate stack strings and restore the original control flow.

The backdoor can accept multiple commands from the command and control server, including loading DLL plugins, executing shellcode, and exfiltrating file contents.

Impact and Persistence

Ragnar Loader’s persistence mechanisms are particularly noteworthy.

It uses scheduled tasks and WMI filters to ensure continuous operation on compromised systems.

The malware injects its payload into legitimate Windows processes, such as WmiPrvSE.exe, to enhance stealth and evasion capabilities.

This approach allows Ragnar Loader to maintain a long-term foothold within targeted environments, posing significant challenges to conventional security defenses and detection methodologies.

As a result, Ragnar Loader has become a critical tool for multiple ransomware groups seeking to bypass detection and maintain operational resilience in compromised systems.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.