SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ragnarok (Back to overview)

Ragnarok


According to Bleeping Computer, the ransomware is used in targeted attacks against unpatched Citrix servers. It excludes Russian and Chinese targets using the system's Language ID for filtering. It also tries to disable Windows Defender and has a number of UNIX filepath references in its strings. Encryption method is AES using a dynamically generated key, then bundling this key up via RSA.

References
2021-08-26Bleeping ComputerIonut Ilascu
@online{ilascu:20210826:ragnarok:71e3d60, author = {Ionut Ilascu}, title = {{Ragnarok ransomware releases master decryptor after shutdown}}, date = {2021-08-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-releases-master-decryptor-after-shutdown/}, language = {English}, urldate = {2021-08-31} } Ragnarok ransomware releases master decryptor after shutdown
Ragnarok
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2020-05-21SophosSophosLabs Uncut
@online{uncut:20200521:asnark:e0bcbbc, author = {SophosLabs Uncut}, title = {{Asnarök attackers twice modified attack midstream}}, date = {2020-05-21}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/05/21/asnarok2/}, language = {German}, urldate = {2021-05-04} } Asnarök attackers twice modified attack midstream
NOTROBIN Ragnarok
2020-01-28Bleeping ComputerLawrence Abrams
@online{abrams:20200128:ragnarok:713a314, author = {Lawrence Abrams}, title = {{Ragnarok Ransomware Targets Citrix ADC, Disables Windows Defender}}, date = {2020-01-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-targets-citrix-adc-disables-windows-defender/}, language = {English}, urldate = {2020-01-28} } Ragnarok Ransomware Targets Citrix ADC, Disables Windows Defender
Ragnarok
2020-01-25Github (k-vitali)Vitali Kremez
@online{kremez:20200125:extracted:3eb7aef, author = {Vitali Kremez}, title = {{Extracted Config for Ragnarok Ransomware}}, date = {2020-01-25}, organization = {Github (k-vitali)}, url = {https://github.com/k-vitali/Malware-Misc-RE/blob/master/2020-01-26-ragnarok-cfg-vk.notes.raw}, language = {English}, urldate = {2020-01-28} } Extracted Config for Ragnarok Ransomware
Ragnarok
Yara Rules
[TLP:WHITE] win_ragnarok_auto (20210616 | Detects win.ragnarok.)
rule win_ragnarok_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.ragnarok."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnarok"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c1c00c 8db79979825a 03c2 81c224d14d5c 8945a8 8b45ac 8bc8 }
            // n = 7, score = 200
            //   c1c00c               | rol                 eax, 0xc
            //   8db79979825a         | lea                 esi, dword ptr [edi + 0x5a827999]
            //   03c2                 | add                 eax, edx
            //   81c224d14d5c         | add                 edx, 0x5c4dd124
            //   8945a8               | mov                 dword ptr [ebp - 0x58], eax
            //   8b45ac               | mov                 eax, dword ptr [ebp - 0x54]
            //   8bc8                 | mov                 ecx, eax

        $sequence_1 = { 8bf8 83c408 85ff 0f85c7010000 50 ff7508 }
            // n = 6, score = 200
            //   8bf8                 | mov                 edi, eax
            //   83c408               | add                 esp, 8
            //   85ff                 | test                edi, edi
            //   0f85c7010000         | jne                 0x1cd
            //   50                   | push                eax
            //   ff7508               | push                dword ptr [ebp + 8]

        $sequence_2 = { 84c0 75f9 2bca 8bd3 8d7201 6690 }
            // n = 6, score = 200
            //   84c0                 | test                al, al
            //   75f9                 | jne                 0xfffffffb
            //   2bca                 | sub                 ecx, edx
            //   8bd3                 | mov                 edx, ebx
            //   8d7201               | lea                 esi, dword ptr [edx + 1]
            //   6690                 | nop                 

        $sequence_3 = { 85ff 7e34 56 ff35???????? e8???????? 8b4010 }
            // n = 6, score = 200
            //   85ff                 | test                edi, edi
            //   7e34                 | jle                 0x36
            //   56                   | push                esi
            //   ff35????????         |                     
            //   e8????????           |                     
            //   8b4010               | mov                 eax, dword ptr [eax + 0x10]

        $sequence_4 = { 895ddc 895de0 885de4 e8???????? 8bf0 83c40c 85f6 }
            // n = 7, score = 200
            //   895ddc               | mov                 dword ptr [ebp - 0x24], ebx
            //   895de0               | mov                 dword ptr [ebp - 0x20], ebx
            //   885de4               | mov                 byte ptr [ebp - 0x1c], bl
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   83c40c               | add                 esp, 0xc
            //   85f6                 | test                esi, esi

        $sequence_5 = { 0fb6c9 c1e308 c1ea10 0fb689105c4300 33d9 8b4dfc }
            // n = 6, score = 200
            //   0fb6c9               | movzx               ecx, cl
            //   c1e308               | shl                 ebx, 8
            //   c1ea10               | shr                 edx, 0x10
            //   0fb689105c4300       | movzx               ecx, byte ptr [ecx + 0x435c10]
            //   33d9                 | xor                 ebx, ecx
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]

        $sequence_6 = { 33148d10504300 8b4d08 c1e918 33148d10584300 8b4dfc 0fb6c9 33148d104c4300 }
            // n = 7, score = 200
            //   33148d10504300       | xor                 edx, dword ptr [ecx*4 + 0x435010]
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   c1e918               | shr                 ecx, 0x18
            //   33148d10584300       | xor                 edx, dword ptr [ecx*4 + 0x435810]
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   0fb6c9               | movzx               ecx, cl
            //   33148d104c4300       | xor                 edx, dword ptr [ecx*4 + 0x434c10]

        $sequence_7 = { eb1b 8b0c8d28754300 8a443928 a840 7508 0c02 88443928 }
            // n = 7, score = 200
            //   eb1b                 | jmp                 0x1d
            //   8b0c8d28754300       | mov                 ecx, dword ptr [ecx*4 + 0x437528]
            //   8a443928             | mov                 al, byte ptr [ecx + edi + 0x28]
            //   a840                 | test                al, 0x40
            //   7508                 | jne                 0xa
            //   0c02                 | or                  al, 2
            //   88443928             | mov                 byte ptr [ecx + edi + 0x28], al

        $sequence_8 = { c705????????01000000 c705????????01000000 6a04 58 6bc000 c780746d430002000000 }
            // n = 6, score = 200
            //   c705????????01000000     |     
            //   c705????????01000000     |     
            //   6a04                 | push                4
            //   58                   | pop                 eax
            //   6bc000               | imul                eax, eax, 0
            //   c780746d430002000000     | mov    dword ptr [eax + 0x436d74], 2

        $sequence_9 = { 8bc1 f7d0 c1c10a 0b459c 33c7 0345ec 03c2 }
            // n = 7, score = 200
            //   8bc1                 | mov                 eax, ecx
            //   f7d0                 | not                 eax
            //   c1c10a               | rol                 ecx, 0xa
            //   0b459c               | or                  eax, dword ptr [ebp - 0x64]
            //   33c7                 | xor                 eax, edi
            //   0345ec               | add                 eax, dword ptr [ebp - 0x14]
            //   03c2                 | add                 eax, edx

    condition:
        7 of them and filesize < 483328
}
Download all Yara Rules