Ragnarok Ransomware authors target Citrix ADC servers that are vulnerable to CVE-2019-19781. After they gain a foot hold, additional modules are downloaded to exploited server to scan for Windows computers on the network that are vulnerable to the EternalBlue. If they find, one then Ragnarok Ransomware is downloaded on that machine to encrypt user files. There is an exclusion list, if the victim has language code from China, Russia, Belarus, Russia, Turkmenistan, Ukraine, Latvia, Kazakhstan and Azerbaijan it will not encrypt data and simply pass. It also tries to disable Windows Defender but if the user has enable Windows 10 Tamper Protection this hack wont work.
Ragnarok Ransomware Sample Signatures
Family: Ransom:Win32/Genasom
MD5: 48452dd2506831d0b340e45b08799623
SHA256: b7319f3e21c3941fc2a960b67a150b02f1f3389825164140e75dfa023a73d34c
Ragnarok Ransomware Sample Download
