Malware analysis: Ragnarok ransomware

Ragnarok is recent used in targeted attacks against unpatched Citrix ADC servers vulnerable to the CVE-2019-19781 . This article will analyze the details of this ransomware, how it works and prevent it.

Ragnarok ransomware background

The security firm FireEye released a report about a new ransomware called Ragnarok, which criminals use to attack internal networks after compromising Citrix ADC servers vulnerable to the CVE-2019-19781 — flaw that can be abused to execute arbitrary code.

The first stage of the ransomware is a PE file responsible for injecting into the memory a Windows DLL — the 2nd stage — packed inside the binary. The ransomware DLL itself is named cry_demo.dll, which contains the configuration, information regarding the activities, whitelisted and target countries, and the ransom note.

Ragnarok: 1st stage analysis

From the analysis of the binary file, we can observe that inside the .data section, there is a hardcoded PE file in the offset 0x00011E20 with the size 93124. This detail reveals that a 2nd file, a DLL, will be injected into the memory, decrypted and the execution flow transferred to it.

Figure 1: First binary reveals another file hardcoded inside the .data section.

After executing

Read More: