SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ragnarok (Back to overview)

Ragnarok


According to Bleeping Computer, the ransomware is used in targeted attacks against unpatched Citrix servers. It excludes Russian and Chinese targets using the system's Language ID for filtering. It also tries to disable Windows Defender and has a number of UNIX filepath references in its strings. Encryption method is AES using a dynamically generated key, then bundling this key up via RSA.

References
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon Ransomware BazarBackdoor Clop Cobalt Strike Conti Ransomware Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet Ransomware ShadowPad SmokeLoader Snake Ransomware SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader
2020-05-21SophosSophosLabs Uncut
@online{uncut:20200521:asnark:e0bcbbc, author = {SophosLabs Uncut}, title = {{Asnarök attackers twice modified attack midstream}}, date = {2020-05-21}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/05/21/asnarok2/}, language = {English}, urldate = {2020-05-23} } Asnarök attackers twice modified attack midstream
NOTROBIN Ragnarok
2020-01-28Bleeping ComputerLawrence Abrams
@online{abrams:20200128:ragnarok:713a314, author = {Lawrence Abrams}, title = {{Ragnarok Ransomware Targets Citrix ADC, Disables Windows Defender}}, date = {2020-01-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-targets-citrix-adc-disables-windows-defender/}, language = {English}, urldate = {2020-01-28} } Ragnarok Ransomware Targets Citrix ADC, Disables Windows Defender
Ragnarok
2020-01-25Github (k-vitali)Vitali Kremez
@online{kremez:20200125:extracted:3eb7aef, author = {Vitali Kremez}, title = {{Extracted Config for Ragnarok Ransomware}}, date = {2020-01-25}, organization = {Github (k-vitali)}, url = {https://github.com/k-vitali/Malware-Misc-RE/blob/master/2020-01-26-ragnarok-cfg-vk.notes.raw}, language = {English}, urldate = {2020-01-28} } Extracted Config for Ragnarok Ransomware
Ragnarok
Yara Rules
[TLP:WHITE] win_ragnarok_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_ragnarok_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnarok"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 53 53 6a02 ffd7 85c0 0f85b9020000 }
            // n = 6, score = 200
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   6a02                 | push                2
            //   ffd7                 | call                edi
            //   85c0                 | test                eax, eax
            //   0f85b9020000         | jne                 0x2bf

        $sequence_1 = { c1c007 f7d1 03c7 23ce 8945b8 8b45a4 2345bc }
            // n = 7, score = 200
            //   c1c007               | rol                 eax, 7
            //   f7d1                 | not                 ecx
            //   03c7                 | add                 eax, edi
            //   23ce                 | and                 ecx, esi
            //   8945b8               | mov                 dword ptr [ebp - 0x48], eax
            //   8b45a4               | mov                 eax, dword ptr [ebp - 0x5c]
            //   2345bc               | and                 eax, dword ptr [ebp - 0x44]

        $sequence_2 = { 7557 ff36 e8???????? 8bf8 8d85e8feffff 50 e8???????? }
            // n = 7, score = 200
            //   7557                 | jne                 0x59
            //   ff36                 | push                dword ptr [esi]
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   8d85e8feffff         | lea                 eax, [ebp - 0x118]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_3 = { e8???????? 83c40c 8bf8 89bdb8feffff ff36 68???????? ff35???????? }
            // n = 7, score = 200
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8bf8                 | mov                 edi, eax
            //   89bdb8feffff         | mov                 dword ptr [ebp - 0x148], edi
            //   ff36                 | push                dword ptr [esi]
            //   68????????           |                     
            //   ff35????????         |                     

        $sequence_4 = { 53 e8???????? 83c404 83bdccfeffff01 753f 6a19 }
            // n = 6, score = 200
            //   53                   | push                ebx
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   83bdccfeffff01       | cmp                 dword ptr [ebp - 0x134], 1
            //   753f                 | jne                 0x41
            //   6a19                 | push                0x19

        $sequence_5 = { 884305 0fb6470e 884306 0fb6470f 884307 }
            // n = 5, score = 200
            //   884305               | mov                 byte ptr [ebx + 5], al
            //   0fb6470e             | movzx               eax, byte ptr [edi + 0xe]
            //   884306               | mov                 byte ptr [ebx + 6], al
            //   0fb6470f             | movzx               eax, byte ptr [edi + 0xf]
            //   884307               | mov                 byte ptr [ebx + 7], al

        $sequence_6 = { 53 ffb5e0feffff 8d85fcfeffff 50 e8???????? ffb5f0feffff 8bb5f4feffff }
            // n = 7, score = 200
            //   53                   | push                ebx
            //   ffb5e0feffff         | push                dword ptr [ebp - 0x120]
            //   8d85fcfeffff         | lea                 eax, [ebp - 0x104]
            //   50                   | push                eax
            //   e8????????           |                     
            //   ffb5f0feffff         | push                dword ptr [ebp - 0x110]
            //   8bb5f4feffff         | mov                 esi, dword ptr [ebp - 0x10c]

        $sequence_7 = { ff35???????? e8???????? 8b4010 50 8d45f0 50 e8???????? }
            // n = 7, score = 200
            //   ff35????????         |                     
            //   e8????????           |                     
            //   8b4010               | mov                 eax, dword ptr [eax + 0x10]
            //   50                   | push                eax
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_8 = { 8bc6 2bc1 2b45ec 2bc2 40 }
            // n = 5, score = 200
            //   8bc6                 | mov                 eax, esi
            //   2bc1                 | sub                 eax, ecx
            //   2b45ec               | sub                 eax, dword ptr [ebp - 0x14]
            //   2bc2                 | sub                 eax, edx
            //   40                   | inc                 eax

        $sequence_9 = { 0f84d3000000 8b048dc4d64200 89858cf8ffff 85c0 0f8498000000 83f801 0f84b5000000 }
            // n = 7, score = 200
            //   0f84d3000000         | je                  0xd9
            //   8b048dc4d64200       | mov                 eax, dword ptr [ecx*4 + 0x42d6c4]
            //   89858cf8ffff         | mov                 dword ptr [ebp - 0x774], eax
            //   85c0                 | test                eax, eax
            //   0f8498000000         | je                  0x9e
            //   83f801               | cmp                 eax, 1
            //   0f84b5000000         | je                  0xbb

    condition:
        7 of them and filesize < 483328
}
Download all Yara Rules