Cybersecurity researchers have unveiled intricate details about Ragnar Loader, a sophisticated and continually evolving suite of malicious tools actively employed by cybercriminal groups such as Ragnar Locker (Monstrous Mantis), FIN7, FIN8, and Ruthless Mantis (formerly REvil).
According to the Swiss cybersecurity firm PRODAFT, Ragnar Loader plays a pivotal role in ensuring long-term persistence within compromised systems, allowing attackers to stealthily entrench themselves within victims’ networks. The tool’s developers continuously introduce new modules and enhancements, making it increasingly elusive to detection.
Although Ragnar Loader is closely associated with the Ragnar Locker group, it remains unclear whether they are its primary operators or merely lease the tool from another entity. What is certain, however, is that the malware is undergoing active development, becoming more modular and increasingly resistant to detection mechanisms.
The existence of Ragnar Loader was first documented in August 2021, when researchers from Bitdefender identified its use in a failed attack by FIN8 against an unnamed financial institution in the United States. However, traces of its deployment date back as early as 2020. In July 2023, security analysts at Symantec observed an updated variant of Ragnar Loader, which had been leveraged to distribute the now-defunct BlackCat ransomware.
One of Ragnar Loader’s defining capabilities is its ability to maintain prolonged access within victim networks. It achieves this through a sophisticated arsenal of evasion techniques, including PowerShell-based payload execution, RC4 and Base64 encryption, and advanced process injection methods. These measures enable attackers to remain undetected while maintaining persistent control over infected systems.
Ragnar Loader is distributed to affiliated hacker groups as a comprehensive archive containing modules for remote administration, privilege escalation, and desktop access facilitation. The malware can execute commands issued by operators via a command-and-control (C2) panel and is equipped with tools designed to circumvent security analysis mechanisms.
Additionally, the malware supports DLL plugins and shellcode execution and possesses the ability to read and exfiltrate files from compromised devices. To facilitate lateral movement within a network, Ragnar Loader deploys a secondary PowerShell script, enabling covert access to additional nodes.
Furthermore, PRODAFT researchers identified a Linux-based executable within Ragnar Loader, named “bc”, specifically designed to establish remote connections with infected systems. Its functionality closely resembles BackConnect modules found in other notorious malware strains, such as QakBot and IcedID, allowing attackers to execute commands directly. This tactic is frequently employed in corporate network intrusions, where devices are often segmented and isolated from one another.
The malware continues to evolve, incorporating increasingly advanced encryption, obfuscation, and defense evasion techniques. These advancements cement Ragnar Loader as a critical component within the modern ransomware ecosystem, significantly bolstering attackers’ resilience against detection and mitigation efforts.
