RansomLook logo RansomLook

Ragnarok

Compare

View crypto

Description

According to Bleeping Computer, the ransomware is used in targeted attacks against unpatched Citrix servers. It excludes Russian and Chinese targets using the system's Language ID for filtering. It also tries to disable Windows Defender and has a number of UNIX filepath references in its strings. Encryption method is AES using a dynamically generated key, then bundling this key up via RSA.

External Analysis11
External Analysis
https://techcrunch.com/2021/08/30/ragnarok-ransomware-gang-shuts-down-and-releases-its-decryption-key
https://www.cpomagazine.com/cyber-security/ragnarok-ransomware-gang-closes-up-shop-leaves-master-decryptor-key-behind
https://www.sababasecurity.com/cheese-shortage-in-dutch-supermarkets-after-a-ransomware-attack
https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3
https://github.com/k-vitali/Malware-Misc-RE/blob/master/2020-01-26-ragnarok-cfg-vk.notes.raw
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf
https://news.sophos.com/en-us/2020/05/21/asnarok2/
https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/
https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-releases-master-decryptor-after-shutdown/
https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-targets-citrix-adc-disables-windows-defender/
Ransom notes2
Urls2
Url
Status
Screen
Uptime 30d
Health
http://wobpitin77vdsdiswr43duntv6eqw4rvphedutpaxycjdie6gg3binad.onion Down
0%
http://sushlnty2j7qdzy64qnvyb6ajkwg7resd3p6agc2widnawodtcedgjid.onion/ Down
0%
Activity (interactive) 1
Activity charts
Posts1
Date Title Description Screen
Decrypt
Note