SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ragnarok (Back to overview)

Ragnarok

According to Bleeping Computer, the ransomware is used in targeted attacks against unpatched Citrix servers. It excludes Russian and Chinese targets using the system's Language ID for filtering. It also tries to disable Windows Defender and has a number of UNIX filepath references in its strings. Encryption method is AES using a dynamically generated key, then bundling this key up via RSA.

References
2022-06-23KasperskyNikita Nazarov, Vasily Davydov, Natalya Shornikova, Vladislav Burtsev, Danila Nasonov
@techreport{nazarov:20220623:hateful:bae0681, author = {Nikita Nazarov and Vasily Davydov and Natalya Shornikova and Vladislav Burtsev and Danila Nasonov}, title = {{The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs}}, date = {2022-06-23}, institution = {Kaspersky}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf}, language = {English}, urldate = {2022-06-27} } The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs
Conti Hive BlackByte BlackCat Clop LockBit Mespinoza Ragnarok
2022-03-17SophosTilly Travers
@online{travers:20220317:ransomware:df38f2f, author = {Tilly Travers}, title = {{The Ransomware Threat Intelligence Center}}, date = {2022-03-17}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/}, language = {English}, urldate = {2022-03-18} } The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2021-08-26Bleeping ComputerIonut Ilascu
@online{ilascu:20210826:ragnarok:71e3d60, author = {Ionut Ilascu}, title = {{Ragnarok ransomware releases master decryptor after shutdown}}, date = {2021-08-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-releases-master-decryptor-after-shutdown/}, language = {English}, urldate = {2021-08-31} } Ragnarok ransomware releases master decryptor after shutdown
Ragnarok
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2020-05-21SophosSophosLabs Uncut
@online{uncut:20200521:asnark:e0bcbbc, author = {SophosLabs Uncut}, title = {{Asnarök attackers twice modified attack midstream}}, date = {2020-05-21}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/05/21/asnarok2/}, language = {German}, urldate = {2021-05-04} } Asnarök attackers twice modified attack midstream
NOTROBIN Ragnarok
2020-01-28Bleeping ComputerLawrence Abrams
@online{abrams:20200128:ragnarok:713a314, author = {Lawrence Abrams}, title = {{Ragnarok Ransomware Targets Citrix ADC, Disables Windows Defender}}, date = {2020-01-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-targets-citrix-adc-disables-windows-defender/}, language = {English}, urldate = {2020-01-28} } Ragnarok Ransomware Targets Citrix ADC, Disables Windows Defender
Ragnarok
2020-01-25Github (k-vitali)Vitali Kremez
@online{kremez:20200125:extracted:3eb7aef, author = {Vitali Kremez}, title = {{Extracted Config for Ragnarok Ransomware}}, date = {2020-01-25}, organization = {Github (k-vitali)}, url = {https://github.com/k-vitali/Malware-Misc-RE/blob/master/2020-01-26-ragnarok-cfg-vk.notes.raw}, language = {English}, urldate = {2020-01-28} } Extracted Config for Ragnarok Ransomware
Ragnarok
Yara Rules
[TLP:WHITE] win_ragnarok_auto (20230715 | Detects win.ragnarok.)
rule win_ragnarok_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.ragnarok."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnarok"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c1e908 0fb6c9 c1e208 0fb689105c4300 33d1 8b4de8 }
            // n = 6, score = 200
            //   c1e908               | shr                 ecx, 8
            //   0fb6c9               | movzx               ecx, cl
            //   c1e208               | shl                 edx, 8
            //   0fb689105c4300       | movzx               ecx, byte ptr [ecx + 0x435c10]
            //   33d1                 | xor                 edx, ecx
            //   8b4de8               | mov                 ecx, dword ptr [ebp - 0x18]

        $sequence_1 = { 83ec08 53 56 57 6a1e ff35???????? e8???????? }
            // n = 7, score = 200
            //   83ec08               | sub                 esp, 8
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   6a1e                 | push                0x1e
            //   ff35????????         |                     
            //   e8????????           |                     

        $sequence_2 = { 33348d10584300 8b4dec 8b149510544300 0fb6c9 33348d104c4300 }
            // n = 5, score = 200
            //   33348d10584300       | xor                 esi, dword ptr [ecx*4 + 0x435810]
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]
            //   8b149510544300       | mov                 edx, dword ptr [edx*4 + 0x435410]
            //   0fb6c9               | movzx               ecx, cl
            //   33348d104c4300       | xor                 esi, dword ptr [ecx*4 + 0x434c10]

        $sequence_3 = { 55 8bec 83ec18 53 56 8b7510 8bc6 }
            // n = 7, score = 200
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83ec18               | sub                 esp, 0x18
            //   53                   | push                ebx
            //   56                   | push                esi
            //   8b7510               | mov                 esi, dword ptr [ebp + 0x10]
            //   8bc6                 | mov                 eax, esi

        $sequence_4 = { 8b4dfc 0fb6c9 0fb689104b4300 c1e108 33f9 8b4dfc c1e910 }
            // n = 7, score = 200
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   0fb6c9               | movzx               ecx, cl
            //   0fb689104b4300       | movzx               ecx, byte ptr [ecx + 0x434b10]
            //   c1e108               | shl                 ecx, 8
            //   33f9                 | xor                 edi, ecx
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   c1e910               | shr                 ecx, 0x10

        $sequence_5 = { 51 ff35???????? ffd6 6a1a ff35???????? 8bd8 e8???????? }
            // n = 7, score = 200
            //   51                   | push                ecx
            //   ff35????????         |                     
            //   ffd6                 | call                esi
            //   6a1a                 | push                0x1a
            //   ff35????????         |                     
            //   8bd8                 | mov                 ebx, eax
            //   e8????????           |                     

        $sequence_6 = { f3a5 8bca 8945f8 83e103 f3a4 3b450c 7ca5 }
            // n = 7, score = 200
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   8bca                 | mov                 ecx, edx
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   83e103               | and                 ecx, 3
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   3b450c               | cmp                 eax, dword ptr [ebp + 0xc]
            //   7ca5                 | jl                  0xffffffa7

        $sequence_7 = { c1c009 f7d1 234db0 03c7 8945a4 8b45a0 2345b4 }
            // n = 7, score = 200
            //   c1c009               | rol                 eax, 9
            //   f7d1                 | not                 ecx
            //   234db0               | and                 ecx, dword ptr [ebp - 0x50]
            //   03c7                 | add                 eax, edi
            //   8945a4               | mov                 dword ptr [ebp - 0x5c], eax
            //   8b45a0               | mov                 eax, dword ptr [ebp - 0x60]
            //   2345b4               | and                 eax, dword ptr [ebp - 0x4c]

        $sequence_8 = { 660fd60f 8d7f08 8b048dd4314100 ffe0 f7c703000000 7413 8a06 }
            // n = 7, score = 200
            //   660fd60f             | movq                qword ptr [edi], xmm1
            //   8d7f08               | lea                 edi, [edi + 8]
            //   8b048dd4314100       | mov                 eax, dword ptr [ecx*4 + 0x4131d4]
            //   ffe0                 | jmp                 eax
            //   f7c703000000         | test                edi, 3
            //   7413                 | je                  0x15
            //   8a06                 | mov                 al, byte ptr [esi]

        $sequence_9 = { 2d80000000 742b 83e840 741b 83e840 }
            // n = 5, score = 200
            //   2d80000000           | sub                 eax, 0x80
            //   742b                 | je                  0x2d
            //   83e840               | sub                 eax, 0x40
            //   741b                 | je                  0x1d
            //   83e840               | sub                 eax, 0x40

    condition:
        7 of them and filesize < 483328
}
Download all Yara Rules