Here is another incident to reemphasize the need for patching the serious Citrix vulnerability (CVE-2019-19781). A new ransomware called Ragnarok is in the wild and is actively targeting vulnerable Citrix ADC servers.
Researchers have found new ransomware involved in targeting vulnerable Citrix ADC servers. As revealed, the cybercriminals are exploiting the infamous Citrix vulnerability (CVE-2019-19781) to attack vulnerable machines.
The attackers first compromise the vulnerable Citrix ADC devices. If successful, they then download scripts to scan for Windows machines vulnerable to EternalBlue. Then, upon finding vulnerable devices, the script injects a DLL to download and run Ragnarok ransomware.
While it seems like typical ransomware, it bears some significant differences as well which makes it unique.
At first, it excludes Russia and China from encryption attacks. For this, it checks the Windows language ID.
Next, it attempts to disable Microsoft’s Windows Defender to bypass any security check. It also tends to disable automatic Startup repair, clears Shadow Volume Copies, and shuts down Windows Firewall.
Though, the encryption process of Ragnarok is similar to other ransomware. That is, it uses AES encryption for encrypting the files, whilst encrypting the generated key with bundled RSA encryption key. It also renames the encrypted files by adding a ‘.ragnarok’ extension.