Ragnar Locker Ransomware Strikes Computer Memory and Storage Company ADATA

You are currently viewing Ragnar Locker Ransomware Strikes Computer Memory and Storage Company ADATA

Ragnar Locker Ransomware has struck against Taiwan-based memory and storage manufacturer ADATA, who were forced to take their systems offline after the attack. The attack occurred in May, and ADATA is still dealing with the fallout. ADATA is a publicly listed Taiwanese memory and storage manufacturer, founded in May 2001 by Simon Chen. Its main product line consists of DRAM modules, USB Flash drives, hard disk drives, solid-state drives, memory cards, and mobile accessories. ADATA is also expanding into new areas, including robotics and electric powertrain systems.

In addition to its main ADATA brand, the company also sells PC gaming hardware and accessories under its XPG (“Xtreme Performance Gear”) brand. In 2017 ADATA was the second-largest DRAM module manufacturer in the world and had a market capitalization of US$680 million. In recent years ADATA has extended its business to Europe and the Americas while competing strongly with Samsung in Asia.

The Ragnar Locker Ransomware infection as initially reported by BleepingComputer in June.

The Taiwanese memory manufacturer took down all impacted systems after detecting the attack and notified all relevant international authorities of the incident to help track down the attackers.

“ADATA was hit by a ransomware attack on May 23rd, 2021,” the company stated in an email.

ADATA’s business operations are no longer disrupted according to the memory maker, with affected devices being restored and services closing regular performance.

“The company successfully suspended the affected systems as soon as the attack was detected, and all following necessary efforts have been made to recover and upgrade the related IT security systems,” ADATA added.

“Gladly things are being moved toward the normal track, and business operations are not disrupted for corresponding contingency practices are effective.

“We are determined to devote ourselves making the system protected than ever, and yes, this will be our endless practice while the company is moving forward to its future growth and achievements.”

ADATA did not confirm what strain of ransomware hit them, but the attack has confirmed and claimed by the Ragnar Locker Ransomware gang afterward.

Ragnar Locker Ransomware claimed they stole 1.5TB of sensitive data from ADATA’s network before deploying the ransomware payloads.

At present, the gang has only posted screenshots of the files they took. They are threatening to leak the files fully if the ransom isn’t paid. According to the screenshots already posted by Ragnar Locker Ransomware on their dark web leak site, the attackers could collect and exfiltrate proprietary business information, confidential files, schematics, financial data, Gitlab and SVN source code, legal documents, employee info, NDAs, and work folders.

Ragnar Locker Ransomware
From the Ragnar Locker Ransomware Dark Web Site

Ragnar Locker Ransomware activity was first picked up on in December 2019.

On compromised enterprise endpoints, Ragnar Locker operators terminate remote management software (such as ConnectWise and Kaseya) used by managed service providers (MSPs) to manage clients’ systems remotely.

This allows the attackers to evade detection and ensure that admins logged in remotely do not block the payload deployment process.

The FBI warned private industry partners of increased Ragnar Locker Ransomware activity after an April 2020 attack that impacted the network of multinational energy giant Energias de Portugal (EDP).

Demands from Ragnar Locker Ransomware since its inception range from $200,000 to $600,000.

Ragnar Locker Ransomware Analysis


Note: This analysis was carried out by the Infosec Institute.

Ransomware in this line often disables some services as a way to bypass security protections and also database and backup systems to increase the impact of the attack. Also, database and mail services are stopped so that their data can be encrypted during the infection process.

One of the particularities that spotlight Ragnar Locker is that it is targeting specifically remote management software often used by managed service providers (MSPs), such as the popular ConnectWise and Kaseya software.

This data encryption malware infects computers based on their language settings. When first started, Ragnar Locker checks the configured Windows language preferences. This piece of malware terminates the process if the setting is configured as one of the former USSR countries.

After that, Ragnar Locker will begin the encryption process. When encrypting files, it will skip files in the following folders, file names and extensions.

Ragnar Locker adds the hardcoded extension “.ragnar_” appended to the end of the file name and “” is replaced by a generated and unique ID. All the available files inside physical drives are encrypted and, in the end, the notepad.exe process is opened and showing the ransom note file created on the victim’s system directory.

This ransomware is not equipped with a mechanism to detect whether the computer has already been compromised. A particularity is that if the malware reaches the same device more than once, it will encrypt the device over and over again. This can be seen below where Ragnar Locker Ransomware encrypts the files three times in a row.

Ragnar Locker and other mediatic ransomwares use several techniques and commands to damage the Windows shadow copies. With this process in place, repairing potential data encryption attacks is harder.

Inside the malware is hardcoded a link to a page with a countdown and the process to pay the ransom.


Ransomware is a serious online threat, one that is faced by businesses and families globally. It is critical that you use the right tools to keep your digital life protected. One of these tools is SaferNet.

SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.

Leave a Reply