SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ragnarok (Back to overview)

Ragnarok

VTCollection    

According to Bleeping Computer, the ransomware is used in targeted attacks against unpatched Citrix servers. It excludes Russian and Chinese targets using the system's Language ID for filtering. It also tries to disable Windows Defender and has a number of UNIX filepath references in its strings. Encryption method is AES using a dynamically generated key, then bundling this key up via RSA.

References
2022-06-23KasperskyDanila Nasonov, Natalya Shornikova, Nikita Nazarov, Vasily Davydov, Vladislav Burtsev
The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs
Conti Hive BlackByte BlackCat Clop LockBit Mespinoza Ragnarok
2022-03-17SophosTilly Travers
The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2021-08-26Bleeping ComputerIonut Ilascu
Ragnarok ransomware releases master decryptor after shutdown
Ragnarok
2021-05-10DarkTracerDarkTracer
Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-02-23CrowdStrikeCrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2020-05-21SophosSophosLabs Uncut
Asnarök attackers twice modified attack midstream
NOTROBIN Ragnarok
2020-05-04blackarrowBorja Merino
Ragnarok Stopper: development of a vaccine
Ragnarok
2020-01-28Bleeping ComputerLawrence Abrams
Ragnarok Ransomware Targets Citrix ADC, Disables Windows Defender
Ragnarok
2020-01-25Github (k-vitali)Vitali Kremez
Extracted Config for Ragnarok Ransomware
Ragnarok
Yara Rules
[TLP:WHITE] win_ragnarok_auto (20230808 | Detects win.ragnarok.)
rule win_ragnarok_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.ragnarok."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnarok"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c1f906 57 6bf838 894df4 8b048d28754300 8b540718 8955ec }
            // n = 7, score = 200
            //   c1f906               | sar                 ecx, 6
            //   57                   | push                edi
            //   6bf838               | imul                edi, eax, 0x38
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx
            //   8b048d28754300       | mov                 eax, dword ptr [ecx*4 + 0x437528]
            //   8b540718             | mov                 edx, dword ptr [edi + eax + 0x18]
            //   8955ec               | mov                 dword ptr [ebp - 0x14], edx

        $sequence_1 = { 884219 0fb6461a 88421a 0fb6461b 88421b 0fb6461c 88421c }
            // n = 7, score = 200
            //   884219               | mov                 byte ptr [edx + 0x19], al
            //   0fb6461a             | movzx               eax, byte ptr [esi + 0x1a]
            //   88421a               | mov                 byte ptr [edx + 0x1a], al
            //   0fb6461b             | movzx               eax, byte ptr [esi + 0x1b]
            //   88421b               | mov                 byte ptr [edx + 0x1b], al
            //   0fb6461c             | movzx               eax, byte ptr [esi + 0x1c]
            //   88421c               | mov                 byte ptr [edx + 0x1c], al

        $sequence_2 = { c1e908 0fb6c9 c1e308 c1ea10 0fb689105c4300 33d9 8b4dfc }
            // n = 7, score = 200
            //   c1e908               | shr                 ecx, 8
            //   0fb6c9               | movzx               ecx, cl
            //   c1e308               | shl                 ebx, 8
            //   c1ea10               | shr                 edx, 0x10
            //   0fb689105c4300       | movzx               ecx, byte ptr [ecx + 0x435c10]
            //   33d9                 | xor                 ebx, ecx
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]

        $sequence_3 = { 8bc8 2345a4 f7d1 234d9c 0bc8 c145980a }
            // n = 6, score = 200
            //   8bc8                 | mov                 ecx, eax
            //   2345a4               | and                 eax, dword ptr [ebp - 0x5c]
            //   f7d1                 | not                 ecx
            //   234d9c               | and                 ecx, dword ptr [ebp - 0x64]
            //   0bc8                 | or                  ecx, eax
            //   c145980a             | rol                 dword ptr [ebp - 0x68], 0xa

        $sequence_4 = { 0fb689104b4300 33d9 0fb6487e c1e308 0fb689104b4300 33d9 0fb6487d }
            // n = 7, score = 200
            //   0fb689104b4300       | movzx               ecx, byte ptr [ecx + 0x434b10]
            //   33d9                 | xor                 ebx, ecx
            //   0fb6487e             | movzx               ecx, byte ptr [eax + 0x7e]
            //   c1e308               | shl                 ebx, 8
            //   0fb689104b4300       | movzx               ecx, byte ptr [ecx + 0x434b10]
            //   33d9                 | xor                 ebx, ecx
            //   0fb6487d             | movzx               ecx, byte ptr [eax + 0x7d]

        $sequence_5 = { 8b7d08 0fb6ca 333c8d105d4300 8bcf 897d08 334814 894d08 }
            // n = 7, score = 200
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   0fb6ca               | movzx               ecx, dl
            //   333c8d105d4300       | xor                 edi, dword ptr [ecx*4 + 0x435d10]
            //   8bcf                 | mov                 ecx, edi
            //   897d08               | mov                 dword ptr [ebp + 8], edi
            //   334814               | xor                 ecx, dword ptr [eax + 0x14]
            //   894d08               | mov                 dword ptr [ebp + 8], ecx

        $sequence_6 = { 8b75dc 33f9 037dfc 81c64efd53a9 037d98 c1c209 }
            // n = 6, score = 200
            //   8b75dc               | mov                 esi, dword ptr [ebp - 0x24]
            //   33f9                 | xor                 edi, ecx
            //   037dfc               | add                 edi, dword ptr [ebp - 4]
            //   81c64efd53a9         | add                 esi, 0xa953fd4e
            //   037d98               | add                 edi, dword ptr [ebp - 0x68]
            //   c1c209               | rol                 edx, 9

        $sequence_7 = { c1c205 8b7dac 0bc8 034dd8 81c7dcbc1b8f 0355bc 03f9 }
            // n = 7, score = 200
            //   c1c205               | rol                 edx, 5
            //   8b7dac               | mov                 edi, dword ptr [ebp - 0x54]
            //   0bc8                 | or                  ecx, eax
            //   034dd8               | add                 ecx, dword ptr [ebp - 0x28]
            //   81c7dcbc1b8f         | add                 edi, 0x8f1bbcdc
            //   0355bc               | add                 edx, dword ptr [ebp - 0x44]
            //   03f9                 | add                 edi, ecx

        $sequence_8 = { 8b048528754300 c644032a0a 8b5d08 747f 8b45f8 8b5df0 8b048528754300 }
            // n = 7, score = 200
            //   8b048528754300       | mov                 eax, dword ptr [eax*4 + 0x437528]
            //   c644032a0a           | mov                 byte ptr [ebx + eax + 0x2a], 0xa
            //   8b5d08               | mov                 ebx, dword ptr [ebp + 8]
            //   747f                 | je                  0x81
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8b5df0               | mov                 ebx, dword ptr [ebp - 0x10]
            //   8b048528754300       | mov                 eax, dword ptr [eax*4 + 0x437528]

        $sequence_9 = { 8bf8 89bdb8feffff ff36 68???????? ff35???????? e8???????? 8b4810 }
            // n = 7, score = 200
            //   8bf8                 | mov                 edi, eax
            //   89bdb8feffff         | mov                 dword ptr [ebp - 0x148], edi
            //   ff36                 | push                dword ptr [esi]
            //   68????????           |                     
            //   ff35????????         |                     
            //   e8????????           |                     
            //   8b4810               | mov                 ecx, dword ptr [eax + 0x10]

    condition:
        7 of them and filesize < 483328
}
Download all Yara Rules