SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ragnarok (Back to overview)

Ragnarok


According to Bleeping Computer, the ransomware is used in targeted attacks against unpatched Citrix servers. It excludes Russian and Chinese targets using the system's Language ID for filtering. It also tries to disable Windows Defender and has a number of UNIX filepath references in its strings. Encryption method is AES using a dynamically generated key, then bundling this key up via RSA.

References
2022-06-23KasperskyNikita Nazarov, Vasily Davydov, Natalya Shornikova, Vladislav Burtsev, Danila Nasonov
@techreport{nazarov:20220623:hateful:bae0681, author = {Nikita Nazarov and Vasily Davydov and Natalya Shornikova and Vladislav Burtsev and Danila Nasonov}, title = {{The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs}}, date = {2022-06-23}, institution = {Kaspersky}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf}, language = {English}, urldate = {2022-06-27} } The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs
Conti Hive BlackByte BlackCat Clop LockBit Mespinoza Ragnarok
2022-03-17SophosTilly Travers
@online{travers:20220317:ransomware:df38f2f, author = {Tilly Travers}, title = {{The Ransomware Threat Intelligence Center}}, date = {2022-03-17}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/}, language = {English}, urldate = {2022-03-18} } The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2021-08-26Bleeping ComputerIonut Ilascu
@online{ilascu:20210826:ragnarok:71e3d60, author = {Ionut Ilascu}, title = {{Ragnarok ransomware releases master decryptor after shutdown}}, date = {2021-08-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-releases-master-decryptor-after-shutdown/}, language = {English}, urldate = {2021-08-31} } Ragnarok ransomware releases master decryptor after shutdown
Ragnarok
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2020-05-21SophosSophosLabs Uncut
@online{uncut:20200521:asnark:e0bcbbc, author = {SophosLabs Uncut}, title = {{Asnarök attackers twice modified attack midstream}}, date = {2020-05-21}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/05/21/asnarok2/}, language = {German}, urldate = {2021-05-04} } Asnarök attackers twice modified attack midstream
NOTROBIN Ragnarok
2020-01-28Bleeping ComputerLawrence Abrams
@online{abrams:20200128:ragnarok:713a314, author = {Lawrence Abrams}, title = {{Ragnarok Ransomware Targets Citrix ADC, Disables Windows Defender}}, date = {2020-01-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-targets-citrix-adc-disables-windows-defender/}, language = {English}, urldate = {2020-01-28} } Ragnarok Ransomware Targets Citrix ADC, Disables Windows Defender
Ragnarok
2020-01-25Github (k-vitali)Vitali Kremez
@online{kremez:20200125:extracted:3eb7aef, author = {Vitali Kremez}, title = {{Extracted Config for Ragnarok Ransomware}}, date = {2020-01-25}, organization = {Github (k-vitali)}, url = {https://github.com/k-vitali/Malware-Misc-RE/blob/master/2020-01-26-ragnarok-cfg-vk.notes.raw}, language = {English}, urldate = {2020-01-28} } Extracted Config for Ragnarok Ransomware
Ragnarok
Yara Rules
[TLP:WHITE] win_ragnarok_auto (20230407 | Detects win.ragnarok.)
rule win_ragnarok_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.ragnarok."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnarok"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 899dd4f6ffff eb08 8bd8 8985d4f6ffff 0fb60c9d2ed64200 0fb6349d2fd64200 }
            // n = 6, score = 200
            //   899dd4f6ffff         | mov                 dword ptr [ebp - 0x92c], ebx
            //   eb08                 | jmp                 0xa
            //   8bd8                 | mov                 ebx, eax
            //   8985d4f6ffff         | mov                 dword ptr [ebp - 0x92c], eax
            //   0fb60c9d2ed64200     | movzx               ecx, byte ptr [ebx*4 + 0x42d62e]
            //   0fb6349d2fd64200     | movzx               esi, byte ptr [ebx*4 + 0x42d62f]

        $sequence_1 = { 8990c8000000 3355ec 33f2 8990cc000000 33ce 89b0d0000000 5e }
            // n = 7, score = 200
            //   8990c8000000         | mov                 dword ptr [eax + 0xc8], edx
            //   3355ec               | xor                 edx, dword ptr [ebp - 0x14]
            //   33f2                 | xor                 esi, edx
            //   8990cc000000         | mov                 dword ptr [eax + 0xcc], edx
            //   33ce                 | xor                 ecx, esi
            //   89b0d0000000         | mov                 dword ptr [eax + 0xd0], esi
            //   5e                   | pop                 esi

        $sequence_2 = { 23ca 8b95f4feffff 338dd8feffff 8bf2 03f9 c1ce0d 03b880c14200 }
            // n = 7, score = 200
            //   23ca                 | and                 ecx, edx
            //   8b95f4feffff         | mov                 edx, dword ptr [ebp - 0x10c]
            //   338dd8feffff         | xor                 ecx, dword ptr [ebp - 0x128]
            //   8bf2                 | mov                 esi, edx
            //   03f9                 | add                 edi, ecx
            //   c1ce0d               | ror                 esi, 0xd
            //   03b880c14200         | add                 edi, dword ptr [eax + 0x42c180]

        $sequence_3 = { 3385dcfeffff 03f0 8b85f8feffff 03b094c14200 03f1 03b5e8feffff 8d1c37 }
            // n = 7, score = 200
            //   3385dcfeffff         | xor                 eax, dword ptr [ebp - 0x124]
            //   03f0                 | add                 esi, eax
            //   8b85f8feffff         | mov                 eax, dword ptr [ebp - 0x108]
            //   03b094c14200         | add                 esi, dword ptr [eax + 0x42c194]
            //   03f1                 | add                 esi, ecx
            //   03b5e8feffff         | add                 esi, dword ptr [ebp - 0x118]
            //   8d1c37               | lea                 ebx, [edi + esi]

        $sequence_4 = { 50 e8???????? ff35???????? 8d8534fcffff 6a10 50 }
            // n = 6, score = 200
            //   50                   | push                eax
            //   e8????????           |                     
            //   ff35????????         |                     
            //   8d8534fcffff         | lea                 eax, [ebp - 0x3cc]
            //   6a10                 | push                0x10
            //   50                   | push                eax

        $sequence_5 = { 8b95ecfeffff 338ddcfeffff 8bf2 03f9 c1ce0d 03b884c14200 8bca }
            // n = 7, score = 200
            //   8b95ecfeffff         | mov                 edx, dword ptr [ebp - 0x114]
            //   338ddcfeffff         | xor                 ecx, dword ptr [ebp - 0x124]
            //   8bf2                 | mov                 esi, edx
            //   03f9                 | add                 edi, ecx
            //   c1ce0d               | ror                 esi, 0xd
            //   03b884c14200         | add                 edi, dword ptr [eax + 0x42c184]
            //   8bca                 | mov                 ecx, edx

        $sequence_6 = { 0fb689104b4300 314d10 0fb688be000000 c1651008 0fb689104b4300 314d10 }
            // n = 6, score = 200
            //   0fb689104b4300       | movzx               ecx, byte ptr [ecx + 0x434b10]
            //   314d10               | xor                 dword ptr [ebp + 0x10], ecx
            //   0fb688be000000       | movzx               ecx, byte ptr [eax + 0xbe]
            //   c1651008             | shl                 dword ptr [ebp + 0x10], 8
            //   0fb689104b4300       | movzx               ecx, byte ptr [ecx + 0x434b10]
            //   314d10               | xor                 dword ptr [ebp + 0x10], ecx

        $sequence_7 = { 8b5508 b8ff000000 8a4d10 c702ff000000 80f930 7c0d 80f939 }
            // n = 7, score = 200
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   b8ff000000           | mov                 eax, 0xff
            //   8a4d10               | mov                 cl, byte ptr [ebp + 0x10]
            //   c702ff000000         | mov                 dword ptr [edx], 0xff
            //   80f930               | cmp                 cl, 0x30
            //   7c0d                 | jl                  0xf
            //   80f939               | cmp                 cl, 0x39

        $sequence_8 = { 8bec 8b4508 53 57 8d1c8590744300 8b03 90 }
            // n = 7, score = 200
            //   8bec                 | mov                 ebp, esp
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   53                   | push                ebx
            //   57                   | push                edi
            //   8d1c8590744300       | lea                 ebx, [eax*4 + 0x437490]
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   90                   | nop                 

        $sequence_9 = { ff35???????? ffd6 6a23 ff35???????? 8bf8 e8???????? 8b4810 }
            // n = 7, score = 200
            //   ff35????????         |                     
            //   ffd6                 | call                esi
            //   6a23                 | push                0x23
            //   ff35????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   e8????????           |                     
            //   8b4810               | mov                 ecx, dword ptr [eax + 0x10]

    condition:
        7 of them and filesize < 483328
}
Download all Yara Rules