SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ragnarok (Back to overview)

Ragnarok


According to Bleeping Computer, the ransomware is used in targeted attacks against unpatched Citrix servers. It excludes Russian and Chinese targets using the system's Language ID for filtering. It also tries to disable Windows Defender and has a number of UNIX filepath references in its strings. Encryption method is AES using a dynamically generated key, then bundling this key up via RSA.

References
2022-06-23KasperskyNikita Nazarov, Vasily Davydov, Natalya Shornikova, Vladislav Burtsev, Danila Nasonov
@techreport{nazarov:20220623:hateful:bae0681, author = {Nikita Nazarov and Vasily Davydov and Natalya Shornikova and Vladislav Burtsev and Danila Nasonov}, title = {{The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs}}, date = {2022-06-23}, institution = {Kaspersky}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf}, language = {English}, urldate = {2022-06-27} } The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs
Conti Hive BlackByte BlackCat Clop LockBit Mespinoza Ragnarok
2022-03-17SophosTilly Travers
@online{travers:20220317:ransomware:df38f2f, author = {Tilly Travers}, title = {{The Ransomware Threat Intelligence Center}}, date = {2022-03-17}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/}, language = {English}, urldate = {2022-03-18} } The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2021-08-26Bleeping ComputerIonut Ilascu
@online{ilascu:20210826:ragnarok:71e3d60, author = {Ionut Ilascu}, title = {{Ragnarok ransomware releases master decryptor after shutdown}}, date = {2021-08-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-releases-master-decryptor-after-shutdown/}, language = {English}, urldate = {2021-08-31} } Ragnarok ransomware releases master decryptor after shutdown
Ragnarok
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2020-05-21SophosSophosLabs Uncut
@online{uncut:20200521:asnark:e0bcbbc, author = {SophosLabs Uncut}, title = {{Asnarök attackers twice modified attack midstream}}, date = {2020-05-21}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/05/21/asnarok2/}, language = {German}, urldate = {2021-05-04} } Asnarök attackers twice modified attack midstream
NOTROBIN Ragnarok
2020-01-28Bleeping ComputerLawrence Abrams
@online{abrams:20200128:ragnarok:713a314, author = {Lawrence Abrams}, title = {{Ragnarok Ransomware Targets Citrix ADC, Disables Windows Defender}}, date = {2020-01-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-targets-citrix-adc-disables-windows-defender/}, language = {English}, urldate = {2020-01-28} } Ragnarok Ransomware Targets Citrix ADC, Disables Windows Defender
Ragnarok
2020-01-25Github (k-vitali)Vitali Kremez
@online{kremez:20200125:extracted:3eb7aef, author = {Vitali Kremez}, title = {{Extracted Config for Ragnarok Ransomware}}, date = {2020-01-25}, organization = {Github (k-vitali)}, url = {https://github.com/k-vitali/Malware-Misc-RE/blob/master/2020-01-26-ragnarok-cfg-vk.notes.raw}, language = {English}, urldate = {2020-01-28} } Extracted Config for Ragnarok Ransomware
Ragnarok
Yara Rules
[TLP:WHITE] win_ragnarok_auto (20220808 | Detects win.ragnarok.)
rule win_ragnarok_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.ragnarok."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnarok"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b45a4 f7d0 c145a40a 0b4598 33c7 0345cc 03c2 }
            // n = 7, score = 200
            //   8b45a4               | mov                 eax, dword ptr [ebp - 0x5c]
            //   f7d0                 | not                 eax
            //   c145a40a             | rol                 dword ptr [ebp - 0x5c], 0xa
            //   0b4598               | or                  eax, dword ptr [ebp - 0x68]
            //   33c7                 | xor                 eax, edi
            //   0345cc               | add                 eax, dword ptr [ebp - 0x34]
            //   03c2                 | add                 eax, edx

        $sequence_1 = { 7515 8b4510 81784848454300 7409 ff7048 e8???????? 59 }
            // n = 7, score = 200
            //   7515                 | jne                 0x17
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   81784848454300       | cmp                 dword ptr [eax + 0x48], 0x434548
            //   7409                 | je                  0xb
            //   ff7048               | push                dword ptr [eax + 0x48]
            //   e8????????           |                     
            //   59                   | pop                 ecx

        $sequence_2 = { 74e9 8a0e 0fb6c1 0fbe8040434300 85c0 7510 e8???????? }
            // n = 7, score = 200
            //   74e9                 | je                  0xffffffeb
            //   8a0e                 | mov                 cl, byte ptr [esi]
            //   0fb6c1               | movzx               eax, cl
            //   0fbe8040434300       | movsx               eax, byte ptr [eax + 0x434340]
            //   85c0                 | test                eax, eax
            //   7510                 | jne                 0x12
            //   e8????????           |                     

        $sequence_3 = { 884431ff 84c0 75f3 8bb5b8feffff 8bce }
            // n = 5, score = 200
            //   884431ff             | mov                 byte ptr [ecx + esi - 1], al
            //   84c0                 | test                al, al
            //   75f3                 | jne                 0xfffffff5
            //   8bb5b8feffff         | mov                 esi, dword ptr [ebp - 0x148]
            //   8bce                 | mov                 ecx, esi

        $sequence_4 = { 57 e8???????? 83c40c 8d85bcfeffff 50 57 ff9594feffff }
            // n = 7, score = 200
            //   57                   | push                edi
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8d85bcfeffff         | lea                 eax, [ebp - 0x144]
            //   50                   | push                eax
            //   57                   | push                edi
            //   ff9594feffff         | call                dword ptr [ebp - 0x16c]

        $sequence_5 = { 42 84c0 75f9 2bd6 8d7a02 03f9 }
            // n = 6, score = 200
            //   42                   | inc                 edx
            //   84c0                 | test                al, al
            //   75f9                 | jne                 0xfffffffb
            //   2bd6                 | sub                 edx, esi
            //   8d7a02               | lea                 edi, [edx + 2]
            //   03f9                 | add                 edi, ecx

        $sequence_6 = { e8???????? 53 e8???????? ffb5e8feffff e8???????? 8b4dfc }
            // n = 6, score = 200
            //   e8????????           |                     
            //   53                   | push                ebx
            //   e8????????           |                     
            //   ffb5e8feffff         | push                dword ptr [ebp - 0x118]
            //   e8????????           |                     
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]

        $sequence_7 = { 7d7b 8d0492 8d0c86 8d0492 c781e400000010b14000 c781e800000000000000 c78486f000000020000000 }
            // n = 7, score = 200
            //   7d7b                 | jge                 0x7d
            //   8d0492               | lea                 eax, [edx + edx*4]
            //   8d0c86               | lea                 ecx, [esi + eax*4]
            //   8d0492               | lea                 eax, [edx + edx*4]
            //   c781e400000010b14000     | mov    dword ptr [ecx + 0xe4], 0x40b110
            //   c781e800000000000000     | mov    dword ptr [ecx + 0xe8], 0
            //   c78486f000000020000000     | mov    dword ptr [esi + eax*4 + 0xf0], 0x20

        $sequence_8 = { 8b45b8 23c2 c145b80a 0bc8 8d869979825a 034dd8 }
            // n = 6, score = 200
            //   8b45b8               | mov                 eax, dword ptr [ebp - 0x48]
            //   23c2                 | and                 eax, edx
            //   c145b80a             | rol                 dword ptr [ebp - 0x48], 0xa
            //   0bc8                 | or                  ecx, eax
            //   8d869979825a         | lea                 eax, [esi + 0x5a827999]
            //   034dd8               | add                 ecx, dword ptr [ebp - 0x28]

        $sequence_9 = { 89bd9cfeffff 85ff 7508 89bd9cfeffff eb0c 56 6a00 }
            // n = 7, score = 200
            //   89bd9cfeffff         | mov                 dword ptr [ebp - 0x164], edi
            //   85ff                 | test                edi, edi
            //   7508                 | jne                 0xa
            //   89bd9cfeffff         | mov                 dword ptr [ebp - 0x164], edi
            //   eb0c                 | jmp                 0xe
            //   56                   | push                esi
            //   6a00                 | push                0

    condition:
        7 of them and filesize < 483328
}
Download all Yara Rules