[BreachExchange] Ragnarok Ransomware Exploits Citrix Vulnerability To Target Vulnerable Servers

Destry Winant destry at riskbasedsecurity.com
Fri Jan 31 09:46:26 EST 2020


https://latesthackingnews.com/2020/01/30/ragnarok-ransomware-exploits-citrix-vulnerability-to-target-vulnerable-servers/

Here is another incident to reemphasize the need for patching the
serious Citrix vulnerability (CVE-2019-19781). A new ransomware called
Ragnarok is in the wild and is actively targeting vulnerable Citrix
ADC servers.

Ragnarok Ransomware Exploiting Citrix Researchers have found new
ransomware involved in targeting vulnerable Citrix ADC servers.

As revealed, the cybercriminals are exploiting the infamous Citrix
vulnerability (CVE-2019-19781) to attack vulnerable machines. The
attackers first compromise the vulnerable Citrix ADC devices. If
successful, they then download scripts to scan for Windows machines
vulnerable to EternalBlue. Then, upon finding vulnerable devices, the
script injects a DLL to download and run Ragnarok ransomware.

While it seems like typical ransomware, it bears some significant
differences as well which makes it unique. At first, it excludes
Russia and China from encryption attacks. For this, it checks the
Windows language ID. Next, it attempts to disable Microsoft’s Windows
Defender to bypass any security check. It also tends to disable
automatic Startup repair, clears Shadow Volume Copies, and shuts down
Windows Firewall.

Though, the encryption process of Ragnarok is similar to other
ransomware. That is, it uses AES encryption for encrypting the files,
whilst encrypting the generated key with bundled RSA encryption key.
It also renames the encrypted files by adding a ‘.ragnarok’ extension.

While scanning the data, it skips any system files or those with
‘.exe’, ‘.dll’, ‘.sys’, along with some other specified file paths.
Citrix Vulnerability Patch Released For now, it is not possible to
remedy a Ragnarok encryption attack.

Consequently, users need to be very careful about their security.
Windows users can certainly prevent this attack by activating the
‘Microsoft Tamper Protection’ in Windows 10 that prevents changes to
Windows Defender. Users must ensure patching the Citrix vulnerability
in the first place to avoid Ragnarok and other potential attacks that
exploit the flaw.


More information about the BreachExchange mailing list