Here is another incident to reemphasize the need for patching the serious Citrix vulnerability (CVE-2019-19781). A new ransomware called Ragnarok is in the wild and is actively targeting vulnerable Citrix ADC servers.
Ragnarok Ransomware Exploiting Citrix
Researchers have found new ransomware involved in targeting vulnerable Citrix ADC servers. As revealed, the cybercriminals are exploiting the infamous Citrix vulnerability (CVE-2019-19781) to attack vulnerable machines.
The attackers first compromise the vulnerable Citrix ADC devices. If successful, they then download scripts to scan for Windows machines vulnerable to EternalBlue. Then, upon finding vulnerable devices, the script injects a DLL to download and run Ragnarok ransomware.
While it seems like typical ransomware, it bears some significant differences as well which makes it unique.
At first, it excludes Russia and China from encryption attacks. For this, it checks the Windows language ID.
Next, it attempts to disable Microsoft’s Windows Defender to bypass any security check. It also tends to disable automatic Startup repair, clears Shadow Volume Copies, and shuts down Windows Firewall.
Though, the encryption process of Ragnarok is similar to other ransomware. That is, it uses AES encryption for encrypting the files, whilst encrypting the generated key with bundled RSA encryption key. It also renames the encrypted files by adding a ‘.ragnarok’ extension.
While scanning the data, it skips any system files or those with ‘.exe’, ‘.dll’, ‘.sys’, along with some other specified file paths.
Citrix Vulnerability Patch Released
For now, it is not possible to remedy a Ragnarok encryption attack. Consequently, users need to be very careful about their security.
Windows users can certainly prevent this attack by activating the ‘Microsoft Tamper Protection’ in Windows 10 that prevents changes to Windows Defender.
Users must ensure patching the Citrix vulnerability in the first place to avoid Ragnarok and other potential attacks that exploit the flaw.