SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ragnarok (Back to overview)

Ragnarok

VTCollection    

According to Bleeping Computer, the ransomware is used in targeted attacks against unpatched Citrix servers. It excludes Russian and Chinese targets using the system's Language ID for filtering. It also tries to disable Windows Defender and has a number of UNIX filepath references in its strings. Encryption method is AES using a dynamically generated key, then bundling this key up via RSA.

References
2022-06-23KasperskyDanila Nasonov, Natalya Shornikova, Nikita Nazarov, Vasily Davydov, Vladislav Burtsev
The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs
Conti Hive BlackByte BlackCat Clop LockBit Mespinoza Ragnarok
2022-03-17SophosTilly Travers
The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2021-08-26Bleeping ComputerIonut Ilascu
Ragnarok ransomware releases master decryptor after shutdown
Ragnarok
2021-05-10DarkTracerDarkTracer
Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-02-23CrowdStrikeCrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2020-05-21SophosSophosLabs Uncut
Asnarök attackers twice modified attack midstream
NOTROBIN Ragnarok
2020-05-04blackarrowBorja Merino
Ragnarok Stopper: development of a vaccine
Ragnarok
2020-01-28Bleeping ComputerLawrence Abrams
Ragnarok Ransomware Targets Citrix ADC, Disables Windows Defender
Ragnarok
2020-01-25Github (k-vitali)Vitali Kremez
Extracted Config for Ragnarok Ransomware
Ragnarok
Yara Rules
[TLP:WHITE] win_ragnarok_auto (20260504 | Detects win.ragnarok.)
rule win_ragnarok_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.ragnarok."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnarok"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0fb689104b4300 314dfc 8bca c165fc08 c1e908 0fb6c9 0fb689104b4300 }
            // n = 7, score = 200
            //   0fb689104b4300       | movzx               ecx, byte ptr [ecx + 0x434b10]
            //   314dfc               | xor                 dword ptr [ebp - 4], ecx
            //   8bca                 | mov                 ecx, edx
            //   c165fc08             | shl                 dword ptr [ebp - 4], 8
            //   c1e908               | shr                 ecx, 8
            //   0fb6c9               | movzx               ecx, cl
            //   0fb689104b4300       | movzx               ecx, byte ptr [ecx + 0x434b10]

        $sequence_1 = { 8a08 40 84c9 75f9 2b45f8 8bcb }
            // n = 6, score = 200
            //   8a08                 | mov                 cl, byte ptr [eax]
            //   40                   | inc                 eax
            //   84c9                 | test                cl, cl
            //   75f9                 | jne                 0xfffffffb
            //   2b45f8               | sub                 eax, dword ptr [ebp - 8]
            //   8bcb                 | mov                 ecx, ebx

        $sequence_2 = { ffd6 ffb544ffffff ffd7 6a40 e8???????? }
            // n = 5, score = 200
            //   ffd6                 | call                esi
            //   ffb544ffffff         | push                dword ptr [ebp - 0xbc]
            //   ffd7                 | call                edi
            //   6a40                 | push                0x40
            //   e8????????           |                     

        $sequence_3 = { 83e03f 6bc838 894de0 8b049d28754300 f644082801 7469 56 }
            // n = 7, score = 200
            //   83e03f               | and                 eax, 0x3f
            //   6bc838               | imul                ecx, eax, 0x38
            //   894de0               | mov                 dword ptr [ebp - 0x20], ecx
            //   8b049d28754300       | mov                 eax, dword ptr [ebx*4 + 0x437528]
            //   f644082801           | test                byte ptr [eax + ecx + 0x28], 1
            //   7469                 | je                  0x6b
            //   56                   | push                esi

        $sequence_4 = { 0bc8 034de4 8d86dcbc1b8f 8b75b4 03c1 8b4dac c1c00f }
            // n = 7, score = 200
            //   0bc8                 | or                  ecx, eax
            //   034de4               | add                 ecx, dword ptr [ebp - 0x1c]
            //   8d86dcbc1b8f         | lea                 eax, [esi - 0x70e44324]
            //   8b75b4               | mov                 esi, dword ptr [ebp - 0x4c]
            //   03c1                 | add                 eax, ecx
            //   8b4dac               | mov                 ecx, dword ptr [ebp - 0x54]
            //   c1c00f               | rol                 eax, 0xf

        $sequence_5 = { 8b8538fdffff 031cc558af4200 133cc55caf4200 039cc57cfdffff 13bcc580fdffff 039d70fdffff 8b856cfdffff }
            // n = 7, score = 200
            //   8b8538fdffff         | mov                 eax, dword ptr [ebp - 0x2c8]
            //   031cc558af4200       | add                 ebx, dword ptr [eax*8 + 0x42af58]
            //   133cc55caf4200       | adc                 edi, dword ptr [eax*8 + 0x42af5c]
            //   039cc57cfdffff       | add                 ebx, dword ptr [ebp + eax*8 - 0x284]
            //   13bcc580fdffff       | adc                 edi, dword ptr [ebp + eax*8 - 0x280]
            //   039d70fdffff         | add                 ebx, dword ptr [ebp - 0x290]
            //   8b856cfdffff         | mov                 eax, dword ptr [ebp - 0x294]

        $sequence_6 = { 7409 57 e8???????? 83c404 8b0e 8d5101 8a01 }
            // n = 7, score = 200
            //   7409                 | je                  0xb
            //   57                   | push                edi
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8b0e                 | mov                 ecx, dword ptr [esi]
            //   8d5101               | lea                 edx, [ecx + 1]
            //   8a01                 | mov                 al, byte ptr [ecx]

        $sequence_7 = { 8d9e9979825a c1c00c 8db79979825a 03c2 81c224d14d5c 8945a8 8b45ac }
            // n = 7, score = 200
            //   8d9e9979825a         | lea                 ebx, [esi + 0x5a827999]
            //   c1c00c               | rol                 eax, 0xc
            //   8db79979825a         | lea                 esi, [edi + 0x5a827999]
            //   03c2                 | add                 eax, edx
            //   81c224d14d5c         | add                 edx, 0x5c4dd124
            //   8945a8               | mov                 dword ptr [ebp - 0x58], eax
            //   8b45ac               | mov                 eax, dword ptr [ebp - 0x54]

        $sequence_8 = { 8bec 8b4508 53 57 8d1c8590744300 8b03 90 }
            // n = 7, score = 200
            //   8bec                 | mov                 ebp, esp
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   53                   | push                ebx
            //   57                   | push                edi
            //   8d1c8590744300       | lea                 ebx, [eax*4 + 0x437490]
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   90                   | nop                 

        $sequence_9 = { e8???????? 68???????? 56 8b5810 e8???????? }
            // n = 5, score = 200
            //   e8????????           |                     
            //   68????????           |                     
            //   56                   | push                esi
            //   8b5810               | mov                 ebx, dword ptr [eax + 0x10]
            //   e8????????           |                     

    condition:
        7 of them and filesize < 483328
}
Download all Yara Rules