Ragnarok Ransomware Exploits Citrix Vulnerability To Target Vulnerable Servers

  •  
  •  
  •  
  • 1
  •  
  •  
  •  
    1
    Share

Here is another incident to reemphasize the need for patching the serious Citrix vulnerability (CVE-2019-19781). A new ransomware called Ragnarok is in the wild and is actively targeting vulnerable Citrix ADC servers.

Ragnarok Ransomware Exploiting Citrix

Researchers have found new ransomware involved in targeting vulnerable Citrix ADC servers. As revealed, the cybercriminals are exploiting the infamous Citrix vulnerability (CVE-2019-19781) to attack vulnerable machines.

The attackers first compromise the vulnerable Citrix ADC devices. If successful, they then download scripts to scan for Windows machines vulnerable to EternalBlue. Then, upon finding vulnerable devices, the script injects a DLL to download and run Ragnarok ransomware.

While it seems like typical ransomware, it bears some significant differences as well which makes it unique.

At first, it excludes Russia and China from encryption attacks. For this, it checks the Windows language ID.

Next, it attempts to disable Microsoft’s Windows Defender to bypass any security check. It also tends to disable automatic Startup repair, clears Shadow Volume Copies, and shuts down Windows Firewall.

Though, the encryption process of Ragnarok is similar to other ransomware. That is, it uses AES encryption for encrypting the files, whilst encrypting the generated key with bundled RSA encryption key. It also renames the encrypted files by adding a ‘.ragnarok’ extension.

While scanning the data, it skips any system files or those with ‘.exe’, ‘.dll’, ‘.sys’, along with some other specified file paths.

Citrix Vulnerability Patch Released

For now, it is not possible to remedy a Ragnarok encryption attack. Consequently, users need to be very careful about their security.

Windows users can certainly prevent this attack by activating the ‘Microsoft Tamper Protection’ in Windows 10 that prevents changes to Windows Defender.

Users must ensure patching the Citrix vulnerability in the first place to avoid Ragnarok and other potential attacks that exploit the flaw.

The following two tabs change content below.
Avatar

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]
Avatar

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Do NOT follow this link or you will be banned from the site!