SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ragnarok (Back to overview)

Ragnarok


According to Bleeping Computer, the ransomware is used in targeted attacks against unpatched Citrix servers. It excludes Russian and Chinese targets using the system's Language ID for filtering. It also tries to disable Windows Defender and has a number of UNIX filepath references in its strings. Encryption method is AES using a dynamically generated key, then bundling this key up via RSA.

References
2021-08-26Bleeping ComputerIonut Ilascu
@online{ilascu:20210826:ragnarok:71e3d60, author = {Ionut Ilascu}, title = {{Ragnarok ransomware releases master decryptor after shutdown}}, date = {2021-08-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-releases-master-decryptor-after-shutdown/}, language = {English}, urldate = {2021-08-31} } Ragnarok ransomware releases master decryptor after shutdown
Ragnarok
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2020-05-21SophosSophosLabs Uncut
@online{uncut:20200521:asnark:e0bcbbc, author = {SophosLabs Uncut}, title = {{Asnarök attackers twice modified attack midstream}}, date = {2020-05-21}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/05/21/asnarok2/}, language = {German}, urldate = {2021-05-04} } Asnarök attackers twice modified attack midstream
NOTROBIN Ragnarok
2020-01-28Bleeping ComputerLawrence Abrams
@online{abrams:20200128:ragnarok:713a314, author = {Lawrence Abrams}, title = {{Ragnarok Ransomware Targets Citrix ADC, Disables Windows Defender}}, date = {2020-01-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-targets-citrix-adc-disables-windows-defender/}, language = {English}, urldate = {2020-01-28} } Ragnarok Ransomware Targets Citrix ADC, Disables Windows Defender
Ragnarok
2020-01-25Github (k-vitali)Vitali Kremez
@online{kremez:20200125:extracted:3eb7aef, author = {Vitali Kremez}, title = {{Extracted Config for Ragnarok Ransomware}}, date = {2020-01-25}, organization = {Github (k-vitali)}, url = {https://github.com/k-vitali/Malware-Misc-RE/blob/master/2020-01-26-ragnarok-cfg-vk.notes.raw}, language = {English}, urldate = {2020-01-28} } Extracted Config for Ragnarok Ransomware
Ragnarok
Yara Rules
[TLP:WHITE] win_ragnarok_auto (20211008 | Detects win.ragnarok.)
rule win_ragnarok_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.ragnarok."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnarok"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0fb6486f c1e708 0fb689104b4300 33f9 0fb6486e c1e708 0fb689104b4300 }
            // n = 7, score = 200
            //   0fb6486f             | movzx               ecx, byte ptr [eax + 0x6f]
            //   c1e708               | shl                 edi, 8
            //   0fb689104b4300       | movzx               ecx, byte ptr [ecx + 0x434b10]
            //   33f9                 | xor                 edi, ecx
            //   0fb6486e             | movzx               ecx, byte ptr [eax + 0x6e]
            //   c1e708               | shl                 edi, 8
            //   0fb689104b4300       | movzx               ecx, byte ptr [ecx + 0x434b10]

        $sequence_1 = { 56 8b750c 33c9 33db 894df8 32f6 33c0 }
            // n = 7, score = 200
            //   56                   | push                esi
            //   8b750c               | mov                 esi, dword ptr [ebp + 0xc]
            //   33c9                 | xor                 ecx, ecx
            //   33db                 | xor                 ebx, ebx
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   32f6                 | xor                 dh, dh
            //   33c0                 | xor                 eax, eax

        $sequence_2 = { 6bc000 c780746d430002000000 6a04 58 6bc000 8b0d???????? 894c05f8 }
            // n = 7, score = 200
            //   6bc000               | imul                eax, eax, 0
            //   c780746d430002000000     | mov    dword ptr [eax + 0x436d74], 2
            //   6a04                 | push                4
            //   58                   | pop                 eax
            //   6bc000               | imul                eax, eax, 0
            //   8b0d????????         |                     
            //   894c05f8             | mov                 dword ptr [ebp + eax - 8], ecx

        $sequence_3 = { 8b501c 0fb6ca 0fb6b1104b4300 8bca }
            // n = 4, score = 200
            //   8b501c               | mov                 edx, dword ptr [eax + 0x1c]
            //   0fb6ca               | movzx               ecx, dl
            //   0fb6b1104b4300       | movzx               esi, byte ptr [ecx + 0x434b10]
            //   8bca                 | mov                 ecx, edx

        $sequence_4 = { 8b149510614300 33148d10654300 8b4df0 c1e918 33148d10694300 8b4df4 0fb6c9 }
            // n = 7, score = 200
            //   8b149510614300       | mov                 edx, dword ptr [edx*4 + 0x436110]
            //   33148d10654300       | xor                 edx, dword ptr [ecx*4 + 0x436510]
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   c1e918               | shr                 ecx, 0x18
            //   33148d10694300       | xor                 edx, dword ptr [ecx*4 + 0x436910]
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   0fb6c9               | movzx               ecx, cl

        $sequence_5 = { c1e908 0fb6c9 0fb689104b4300 33f9 8b4df8 33fe 8b75f4 }
            // n = 7, score = 200
            //   c1e908               | shr                 ecx, 8
            //   0fb6c9               | movzx               ecx, cl
            //   0fb689104b4300       | movzx               ecx, byte ptr [ecx + 0x434b10]
            //   33f9                 | xor                 edi, ecx
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   33fe                 | xor                 edi, esi
            //   8b75f4               | mov                 esi, dword ptr [ebp - 0xc]

        $sequence_6 = { 8bc8 83c40c 890f 8b5610 8a02 8d5201 8801 }
            // n = 7, score = 200
            //   8bc8                 | mov                 ecx, eax
            //   83c40c               | add                 esp, 0xc
            //   890f                 | mov                 dword ptr [edi], ecx
            //   8b5610               | mov                 edx, dword ptr [esi + 0x10]
            //   8a02                 | mov                 al, byte ptr [edx]
            //   8d5201               | lea                 edx, dword ptr [edx + 1]
            //   8801                 | mov                 byte ptr [ecx], al

        $sequence_7 = { 0fb689104b4300 33f9 c1e708 8b4dfc c1e908 0fb6c9 0fb689104b4300 }
            // n = 7, score = 200
            //   0fb689104b4300       | movzx               ecx, byte ptr [ecx + 0x434b10]
            //   33f9                 | xor                 edi, ecx
            //   c1e708               | shl                 edi, 8
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   c1e908               | shr                 ecx, 8
            //   0fb6c9               | movzx               ecx, cl
            //   0fb689104b4300       | movzx               ecx, byte ptr [ecx + 0x434b10]

        $sequence_8 = { ffd6 0f57c0 c785f4feffff44000000 33c0 }
            // n = 4, score = 200
            //   ffd6                 | call                esi
            //   0f57c0               | xorps               xmm0, xmm0
            //   c785f4feffff44000000     | mov    dword ptr [ebp - 0x10c], 0x44
            //   33c0                 | xor                 eax, eax

        $sequence_9 = { 8945ac 81c1a1ebd96e 8b45b0 f7d0 }
            // n = 4, score = 200
            //   8945ac               | mov                 dword ptr [ebp - 0x54], eax
            //   81c1a1ebd96e         | add                 ecx, 0x6ed9eba1
            //   8b45b0               | mov                 eax, dword ptr [ebp - 0x50]
            //   f7d0                 | not                 eax

    condition:
        7 of them and filesize < 483328
}
Download all Yara Rules