Ragnarok Ransomware authors target Citrix ADC servers that are vulnerable to CVE-2019-19781. After they gain a foot hold, additional modules are downloaded to exploited server to scan for Windows computers on the network that are vulnerable to the EternalBlue. If they find, one then Ragnarok Ransomware is downloaded on that machine to encrypt user files. There is an exclusion list, if the victim has language code from China, Russia, Belarus, Russia, Turkmenistan, Ukraine, Latvia, Kazakhstan and Azerbaijan it will not encrypt data and simply pass. It also tries to disable Windows Defender but if the user has enable Windows 10 Tamper Protection this hack wont work.
Ragnarok Ransomware Sample Signatures
Ragnarok Ransomware Sample Download