SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ragnarok (Back to overview)

Ragnarok


According to Bleeping Computer, the ransomware is used in targeted attacks against unpatched Citrix servers. It excludes Russian and Chinese targets using the system's Language ID for filtering. It also tries to disable Windows Defender and has a number of UNIX filepath references in its strings. Encryption method is AES using a dynamically generated key, then bundling this key up via RSA.

References
2022-03-17SophosTilly Travers
@online{travers:20220317:ransomware:df38f2f, author = {Tilly Travers}, title = {{The Ransomware Threat Intelligence Center}}, date = {2022-03-17}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/}, language = {English}, urldate = {2022-03-18} } The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2021-08-26Bleeping ComputerIonut Ilascu
@online{ilascu:20210826:ragnarok:71e3d60, author = {Ionut Ilascu}, title = {{Ragnarok ransomware releases master decryptor after shutdown}}, date = {2021-08-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-releases-master-decryptor-after-shutdown/}, language = {English}, urldate = {2021-08-31} } Ragnarok ransomware releases master decryptor after shutdown
Ragnarok
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2020-05-21SophosSophosLabs Uncut
@online{uncut:20200521:asnark:e0bcbbc, author = {SophosLabs Uncut}, title = {{Asnarök attackers twice modified attack midstream}}, date = {2020-05-21}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/05/21/asnarok2/}, language = {German}, urldate = {2021-05-04} } Asnarök attackers twice modified attack midstream
NOTROBIN Ragnarok
2020-01-28Bleeping ComputerLawrence Abrams
@online{abrams:20200128:ragnarok:713a314, author = {Lawrence Abrams}, title = {{Ragnarok Ransomware Targets Citrix ADC, Disables Windows Defender}}, date = {2020-01-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-targets-citrix-adc-disables-windows-defender/}, language = {English}, urldate = {2020-01-28} } Ragnarok Ransomware Targets Citrix ADC, Disables Windows Defender
Ragnarok
2020-01-25Github (k-vitali)Vitali Kremez
@online{kremez:20200125:extracted:3eb7aef, author = {Vitali Kremez}, title = {{Extracted Config for Ragnarok Ransomware}}, date = {2020-01-25}, organization = {Github (k-vitali)}, url = {https://github.com/k-vitali/Malware-Misc-RE/blob/master/2020-01-26-ragnarok-cfg-vk.notes.raw}, language = {English}, urldate = {2020-01-28} } Extracted Config for Ragnarok Ransomware
Ragnarok
Yara Rules
[TLP:WHITE] win_ragnarok_auto (20220411 | Detects win.ragnarok.)
rule win_ragnarok_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.ragnarok."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnarok"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c1e908 0fb6c9 0fb689104b4300 314d10 8b4d10 }
            // n = 5, score = 200
            //   c1e908               | shr                 ecx, 8
            //   0fb6c9               | movzx               ecx, cl
            //   0fb689104b4300       | movzx               ecx, byte ptr [ecx + 0x434b10]
            //   314d10               | xor                 dword ptr [ebp + 0x10], ecx
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]

        $sequence_1 = { 5e 5d c3 ff7508 6a00 }
            // n = 5, score = 200
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   ff7508               | push                dword ptr [ebp + 8]
            //   6a00                 | push                0

        $sequence_2 = { 8d4308 57 33ff 894304 897510 85f6 743a }
            // n = 7, score = 200
            //   8d4308               | lea                 eax, dword ptr [ebx + 8]
            //   57                   | push                edi
            //   33ff                 | xor                 edi, edi
            //   894304               | mov                 dword ptr [ebx + 4], eax
            //   897510               | mov                 dword ptr [ebp + 0x10], esi
            //   85f6                 | test                esi, esi
            //   743a                 | je                  0x3c

        $sequence_3 = { 7429 837dec00 7523 837de804 7618 6a03 68???????? }
            // n = 7, score = 200
            //   7429                 | je                  0x2b
            //   837dec00             | cmp                 dword ptr [ebp - 0x14], 0
            //   7523                 | jne                 0x25
            //   837de804             | cmp                 dword ptr [ebp - 0x18], 4
            //   7618                 | jbe                 0x1a
            //   6a03                 | push                3
            //   68????????           |                     

        $sequence_4 = { 238d54fdffff 338d44fdffff 03d9 8b8d78fdffff 13f8 8b8538fdffff 031cc560af4200 }
            // n = 7, score = 200
            //   238d54fdffff         | and                 ecx, dword ptr [ebp - 0x2ac]
            //   338d44fdffff         | xor                 ecx, dword ptr [ebp - 0x2bc]
            //   03d9                 | add                 ebx, ecx
            //   8b8d78fdffff         | mov                 ecx, dword ptr [ebp - 0x288]
            //   13f8                 | adc                 edi, eax
            //   8b8538fdffff         | mov                 eax, dword ptr [ebp - 0x2c8]
            //   031cc560af4200       | add                 ebx, dword ptr [eax*8 + 0x42af60]

        $sequence_5 = { e8???????? 8bf8 83c420 85ff 0f8484000000 6800020000 e8???????? }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   83c420               | add                 esp, 0x20
            //   85ff                 | test                edi, edi
            //   0f8484000000         | je                  0x8a
            //   6800020000           | push                0x200
            //   e8????????           |                     

        $sequence_6 = { 03b090c14200 03b40514ffffff 03f7 8bbde4feffff 01b5ecfeffff 8bd7 }
            // n = 6, score = 200
            //   03b090c14200         | add                 esi, dword ptr [eax + 0x42c190]
            //   03b40514ffffff       | add                 esi, dword ptr [ebp + eax - 0xec]
            //   03f7                 | add                 esi, edi
            //   8bbde4feffff         | mov                 edi, dword ptr [ebp - 0x11c]
            //   01b5ecfeffff         | add                 dword ptr [ebp - 0x114], esi
            //   8bd7                 | mov                 edx, edi

        $sequence_7 = { 03d3 8b0c8528754300 8a0433 43 88440a2e 8b55b4 }
            // n = 6, score = 200
            //   03d3                 | add                 edx, ebx
            //   8b0c8528754300       | mov                 ecx, dword ptr [eax*4 + 0x437528]
            //   8a0433               | mov                 al, byte ptr [ebx + esi]
            //   43                   | inc                 ebx
            //   88440a2e             | mov                 byte ptr [edx + ecx + 0x2e], al
            //   8b55b4               | mov                 edx, dword ptr [ebp - 0x4c]

        $sequence_8 = { 0fb6b1104b4300 8bca c1e918 c1e608 0fb689104b4300 }
            // n = 5, score = 200
            //   0fb6b1104b4300       | movzx               esi, byte ptr [ecx + 0x434b10]
            //   8bca                 | mov                 ecx, edx
            //   c1e918               | shr                 ecx, 0x18
            //   c1e608               | shl                 esi, 8
            //   0fb689104b4300       | movzx               ecx, byte ptr [ecx + 0x434b10]

        $sequence_9 = { 3385ecfeffff 03f0 c1ca0d 8b85f8feffff 03b07cc14200 8bc1 c1c00a }
            // n = 7, score = 200
            //   3385ecfeffff         | xor                 eax, dword ptr [ebp - 0x114]
            //   03f0                 | add                 esi, eax
            //   c1ca0d               | ror                 edx, 0xd
            //   8b85f8feffff         | mov                 eax, dword ptr [ebp - 0x108]
            //   03b07cc14200         | add                 esi, dword ptr [eax + 0x42c17c]
            //   8bc1                 | mov                 eax, ecx
            //   c1c00a               | rol                 eax, 0xa

    condition:
        7 of them and filesize < 483328
}
Download all Yara Rules