Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0481: Ragnar Locker

Ragnar Locker is a ransomware that has been in use since at least December 2019.[1][2]

EnterpriseS0481MalwareObject v1.2 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Ragnar Locker is a Windows ransomware family documented by ATT&CK as in use since at least December 2019. Its ATT&CK relationships make it material for resilience planning because they include execution through command shell and services, abuse of trusted Windows utilities, virtual-instance based evasion, service stopping, recovery inhibition, and data encryption for impact. For leaders, the value is not just knowing the malware name; it is validating whether ransomware response, backup recovery, endpoint visibility, and service-control monitoring would still work when an operator tries to impair defenses and recovery paths.

Executive priority

Treat this as a ransomware readiness use case for Windows environments. Priority questions: can the organization detect suspicious use of Windows-native execution paths before encryption, prove backups and recovery mechanisms cannot be easily disabled, and maintain IR visibility if security tools or services are stopped? The FIN8 relationship in ATT&CK adds threat-intelligence relevance, but local risk should be based on exposed Windows systems, recovery maturity, monitoring depth, and business processes that cannot tolerate service interruption.

Technical view

SOC and IR teams should validate coverage across the ATT&CK-linked behaviors: Windows Command Shell execution, service creation or service-based execution, abuse of msiexec/regsvr32/rundll32 as proxy execution paths, peripheral and location discovery, running malicious operations in a virtual instance, stopping services, impairing tools, inhibiting recovery, and encryption impact. Because ATT&CK provides no official detection text for this malware object, detection engineering should be behavior-led rather than name-led, using the related techniques to build testable analytics and response playbooks.

Likely telemetry

  • Windows process creation events with command line arguments for cmd.exe, msiexec.exe, regsvr32.exe, rundll32.exe, sc.exe, net.exe, and service-control activity
  • Windows service creation, modification, start, stop, and deletion events
  • Endpoint security and EDR health telemetry, including service stops, sensor tampering, or loss of agent heartbeat
  • File-system telemetry showing high-volume file modification, encryption-like rename/write patterns, or access to local and remote drives
  • Backup and recovery telemetry, including shadow copy, backup catalog, recovery service, and backup agent changes or failures

Detection direction

  • Prioritize behavior chains over static malware naming because no official ATT&CK detection guidance is provided for Ragnar Locker.
  • Tune for suspicious parent-child process relationships and unusual command lines involving cmd.exe, msiexec.exe, regsvr32.exe, rundll32.exe, and service-management utilities, while accounting for legitimate software deployment and administration activity.
  • Correlate service stops, security-tool degradation, and recovery-inhibition events with subsequent large-scale file changes; individual events may be noisy, but the sequence is high-value for ransomware response.
  • Validate visibility inside or around virtualized execution paths, since the ATT&CK relationship to Run Virtual Instance indicates a potential blind spot when endpoint tools cannot observe activity within the guest environment.
  • Separate normal administrative service management from suspicious service execution by checking user context, host role, timing, command line, newly created service names, and whether actions occur across many systems.

Mitigation priorities

  • Start with recoverability: maintain tested, segregated, and access-controlled backups and verify that recovery mechanisms cannot be disabled by ordinary administrative compromise.
  • Harden and monitor Windows service control paths, including service creation, service execution, and service stop activity on critical systems.
  • Reduce abuse of trusted Windows utilities through application control, least privilege, and monitoring for abnormal use of msiexec, regsvr32, rundll32, and command shell activity.
  • Protect security tooling from tampering by enforcing privileged access controls, alerting on sensor health changes, and rehearsing operations during degraded visibility.
  • Segment and prioritize monitoring for systems whose service interruption would create the highest business impact.
Analyst notes and limits

This take is based on ATT&CK object S0481, its official description, external references, and supplied relationships. Ragnar Locker is represented as Windows malware, while some related ATT&CK techniques list broader platforms; defensive validation should be scoped first to the organization’s Windows estate and then expanded only where local evidence supports it. The relationship to FIN8 indicates ATT&CK-documented use by that group, but it should not be treated as definitive attribution in an investigation without corroborating evidence.

ATT&CK does not provide official detection text, aliases, labels, or malware-level tactics for this object in the supplied fields. The guidance therefore remains behavior-oriented and must be validated against local telemetry, administrative baselines, backup architecture, and endpoint-control capabilities. No claim is made that a specific organization is exposed or that any control will guarantee detection or prevention.

Official MITRE ATT&CK definition

Ragnar Locker

Ragnar Locker is a ransomware that has been in use since at least December 2019.[1][2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

13 rows
Domain ID Name Relationship / procedure
Enterprise T1486 Data Encrypted for Impact

Ragnar Locker encrypts files on the local machine and mapped drives prior to displaying a note demanding a ransom.CitationSophos Ragnar May 2020CitationCynet Ragnar Apr 2020
Enterprise T1490 Inhibit System Recovery

Ragnar Locker can delete volume shadow copies using vssadmin delete shadows /all /quiet.CitationSophos Ragnar May 2020
Enterprise T1685 Disable or Modify Tools

Ragnar Locker has attempted to terminate/stop processes and services associated with endpoint security products.CitationSophos Ragnar May 2020
Enterprise T1569.002 Service Execution Sub-technique

Ragnar Locker has used sc.exe to execute a service that it creates.CitationSophos Ragnar May 2020
Enterprise T1059.003 Windows Command Shell Sub-technique

Ragnar Locker has used cmd.exe and batch scripts to execute commands.CitationSophos Ragnar May 2020
Enterprise T1564.006 Run Virtual Instance Sub-technique

Ragnar Locker has used VirtualBox and a stripped Windows XP virtual machine to run itself. The use of a shared folder specified in the configuration enables Ragnar Locker to encrypt files on the host operating system, including files on any mapped drives.CitationSophos Ragnar May 2020
Enterprise T1489 Service Stop

Ragnar Locker has attempted to stop services associated with business applications and databases to release the lock on files used by these applications so they may be encrypted.CitationSophos Ragnar May 2020
Enterprise T1614 System Location Discovery

Before executing malicious code, Ragnar Locker checks the Windows API GetLocaleInfoW and doesn't encrypt files if it finds a former Soviet country.CitationFBI Ragnar Locker 2020
Enterprise T1218.010 Regsvr32 Sub-technique

Ragnar Locker has used regsvr32.exe to execute components of VirtualBox.CitationSophos Ragnar May 2020
Enterprise T1543.003 Windows Service Sub-technique

Ragnar Locker has used sc.exe to create a new service for the VirtualBox driver.CitationSophos Ragnar May 2020
Enterprise T1218.007 Msiexec Sub-technique

Ragnar Locker has been delivered as an unsigned MSI package that was executed with msiexec.exe.CitationSophos Ragnar May 2020
Enterprise T1218.011 Rundll32 Sub-technique

Ragnar Locker has used rundll32.exe to execute components of VirtualBox.CitationSophos Ragnar May 2020
Enterprise T1120 Peripheral Device Discovery

Ragnar Locker may attempt to connect to removable drives and mapped network drives.CitationSophos Ragnar May 2020
Associated objects

Groups, software, and campaigns

Group Enterprise

G0061: FIN8

FIN8 is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology, chemical, and financial sectors. In June 2021, security researchers detected FIN8 switching from targeting point-of-sale (POS) devices to distributing a number of ransomware variants.[1][2][3][4]

Relationship explorer

All related ATT&CK context

uses · Technique T1486: Data Encrypted for Impact Enterprise uses · Technique T1490: Inhibit System Recovery Enterprise uses · Technique T1685: Disable or Modify Tools Enterprise uses · Technique T1569.002: Service Execution Enterprise uses · Technique T1059.003: Windows Command Shell Enterprise uses · Group G0061: FIN8 Enterprise uses · Technique T1564.006: Run Virtual Instance Enterprise uses · Technique T1489: Service Stop Enterprise uses · Technique T1614: System Location Discovery Enterprise uses · Technique T1218.010: Regsvr32 Enterprise uses · Technique T1543.003: Windows Service Enterprise uses · Technique T1218.007: Msiexec Enterprise uses · Technique T1218.011: Rundll32 Enterprise uses · Technique T1120: Peripheral Device Discovery Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.2
Created
Modified
Raw hash
6aa3a3fac6c5a6c6...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.2 Current bundle 6aa3a3fac6c5…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Sophos Ragnar May 2020

    SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020.

    Open source URL
  2. [2]
    Cynet Ragnar Apr 2020

    Gold, B. (2020, April 27). Cynet Detection Report: Ragnar Locker Ransomware. Retrieved June 29, 2020.

    Open source URL
  3. [3]
    mitre-attack S0481
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use