SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ragnarok (Back to overview)

Ragnarok


According to Bleeping Computer, the ransomware is used in targeted attacks against unpatched Citrix servers. It excludes Russian and Chinese targets using the system's Language ID for filtering. It also tries to disable Windows Defender and has a number of UNIX filepath references in its strings. Encryption method is AES using a dynamically generated key, then bundling this key up via RSA.

References
2020-05-21SophosSophosLabs Uncut
@online{uncut:20200521:asnark:e0bcbbc, author = {SophosLabs Uncut}, title = {{Asnarök attackers twice modified attack midstream}}, date = {2020-05-21}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/05/21/asnarok2/}, language = {English}, urldate = {2020-05-23} } Asnarök attackers twice modified attack midstream
NOTROBIN Ragnarok
2020-01-28Bleeping ComputerLawrence Abrams
@online{abrams:20200128:ragnarok:713a314, author = {Lawrence Abrams}, title = {{Ragnarok Ransomware Targets Citrix ADC, Disables Windows Defender}}, date = {2020-01-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-targets-citrix-adc-disables-windows-defender/}, language = {English}, urldate = {2020-01-28} } Ragnarok Ransomware Targets Citrix ADC, Disables Windows Defender
Ragnarok
2020-01-25Github (k-vitali)Vitali Kremez
@online{kremez:20200125:extracted:3eb7aef, author = {Vitali Kremez}, title = {{Extracted Config for Ragnarok Ransomware}}, date = {2020-01-25}, organization = {Github (k-vitali)}, url = {https://github.com/k-vitali/Malware-Misc-RE/blob/master/2020-01-26-ragnarok-cfg-vk.notes.raw}, language = {English}, urldate = {2020-01-28} } Extracted Config for Ragnarok Ransomware
Ragnarok
Yara Rules
[TLP:WHITE] win_ragnarok_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_ragnarok_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnarok"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ffd7 6a0c ff35???????? 8bf0 e8???????? 8b4810 51 }
            // n = 7, score = 200
            //   ffd7                 | call                edi
            //   6a0c                 | push                0xc
            //   ff35????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   e8????????           |                     
            //   8b4810               | mov                 ecx, dword ptr [eax + 0x10]
            //   51                   | push                ecx

        $sequence_1 = { 8945c0 33d7 03550c 8b5dc0 8b45b8 33d8 035df0 }
            // n = 7, score = 200
            //   8945c0               | mov                 dword ptr [ebp - 0x40], eax
            //   33d7                 | xor                 edx, edi
            //   03550c               | add                 edx, dword ptr [ebp + 0xc]
            //   8b5dc0               | mov                 ebx, dword ptr [ebp - 0x40]
            //   8b45b8               | mov                 eax, dword ptr [ebp - 0x48]
            //   33d8                 | xor                 ebx, eax
            //   035df0               | add                 ebx, dword ptr [ebp - 0x10]

        $sequence_2 = { f7d1 234db0 c145b00a 0bc8 034dfc 8b45ac 03d1 }
            // n = 7, score = 200
            //   f7d1                 | not                 ecx
            //   234db0               | and                 ecx, dword ptr [ebp - 0x50]
            //   c145b00a             | rol                 dword ptr [ebp - 0x50], 0xa
            //   0bc8                 | or                  ecx, eax
            //   034dfc               | add                 ecx, dword ptr [ebp - 4]
            //   8b45ac               | mov                 eax, dword ptr [ebp - 0x54]
            //   03d1                 | add                 edx, ecx

        $sequence_3 = { 8955fc 8b049528754300 8945f8 807c072900 7507 8bc1 }
            // n = 6, score = 200
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   8b049528754300       | mov                 eax, dword ptr [edx*4 + 0x437528]
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   807c072900           | cmp                 byte ptr [edi + eax + 0x29], 0
            //   7507                 | jne                 9
            //   8bc1                 | mov                 eax, ecx

        $sequence_4 = { 0bc6 33459c 81c3f33e706d 0345f8 03d8 c1c70d }
            // n = 6, score = 200
            //   0bc6                 | or                  eax, esi
            //   33459c               | xor                 eax, dword ptr [ebp - 0x64]
            //   81c3f33e706d         | add                 ebx, 0x6d703ef3
            //   0345f8               | add                 eax, dword ptr [ebp - 8]
            //   03d8                 | add                 ebx, eax
            //   c1c70d               | rol                 edi, 0xd

        $sequence_5 = { f7d1 2345a8 234d9c 0bc8 8d82dcbc1b8f 034dec 03c1 }
            // n = 7, score = 200
            //   f7d1                 | not                 ecx
            //   2345a8               | and                 eax, dword ptr [ebp - 0x58]
            //   234d9c               | and                 ecx, dword ptr [ebp - 0x64]
            //   0bc8                 | or                  ecx, eax
            //   8d82dcbc1b8f         | lea                 eax, [edx - 0x70e44324]
            //   034dec               | add                 ecx, dword ptr [ebp - 0x14]
            //   03c1                 | add                 eax, ecx

        $sequence_6 = { 33da c1c00a 035de8 03f3 8945b0 8b5db0 }
            // n = 6, score = 200
            //   33da                 | xor                 ebx, edx
            //   c1c00a               | rol                 eax, 0xa
            //   035de8               | add                 ebx, dword ptr [ebp - 0x18]
            //   03f3                 | add                 esi, ebx
            //   8945b0               | mov                 dword ptr [ebp - 0x50], eax
            //   8b5db0               | mov                 ebx, dword ptr [ebp - 0x50]

        $sequence_7 = { 0fb699104b4300 8b4d10 0fb6c9 0fb689104b4300 c1e108 33d9 8b4d10 }
            // n = 7, score = 200
            //   0fb699104b4300       | movzx               ebx, byte ptr [ecx + 0x434b10]
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   0fb6c9               | movzx               ecx, cl
            //   0fb689104b4300       | movzx               ecx, byte ptr [ecx + 0x434b10]
            //   c1e108               | shl                 ecx, 8
            //   33d9                 | xor                 ebx, ecx
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]

        $sequence_8 = { e8???????? 8b4010 50 ff35???????? ffd7 ff35???????? ffd0 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8b4010               | mov                 eax, dword ptr [eax + 0x10]
            //   50                   | push                eax
            //   ff35????????         |                     
            //   ffd7                 | call                edi
            //   ff35????????         |                     
            //   ffd0                 | call                eax

        $sequence_9 = { 7cc5 53 e8???????? 8b45fc 83c404 }
            // n = 5, score = 200
            //   7cc5                 | jl                  0xffffffc7
            //   53                   | push                ebx
            //   e8????????           |                     
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   83c404               | add                 esp, 4

    condition:
        7 of them and filesize < 483328
}
Download all Yara Rules