Ragnarok is recent ransomware used in targeted attacks against unpatched Citrix ADC servers vulnerable to the CVE-2019-19781 vulnerability. This article will analyze the details of this ransomware, how it works and how to prevent it.
Ragnarok ransomware background
The security firm FireEye released a report about a new ransomware called Ragnarok, which criminals use to attack internal networks after compromising Citrix ADC servers vulnerable to the CVE-2019-19781 — flaw that can be abused to execute arbitrary code.
The first stage of the ransomware is a PE file responsible for injecting into the memory a Windows DLL — the 2nd stage — packed inside the binary. The ransomware DLL itself is named cry_demo.dll, which contains the malware configuration, information regarding the encryption activities, whitelisted and target countries, and the ransom note.
Ragnarok: 1st stage analysis
From the analysis of the binary file, we can observe that inside the .data section, there is a hardcoded PE file in the offset 0x00011E20 with the size 93124. This detail reveals that a 2nd file, a DLL, will be injected into the memory, decrypted and the execution flow transferred to it.
Figure 1: First binary reveals another file hardcoded inside the .data section.