Previously, we discussed Ako Ransomware, and examined both its impact and the threat it poses. But keeping your IT infrastructure secure necessitates staying up-to-date with the various forms of ransomware and malicious software out there, and drawing lessons where necessary.
One of the latest forms of ransomware is Ragnarok.
We’ve seen a sharp increase in instances of the Ragnarok ransomware strain since the beginning of 2020, and if you’re not an ITsMine customer yet, it’s important to familiarize yourself with this threat.
Research shows that over 80,000 companies are vulnerable to this attack. According to experts, companies in the following countries are most vulnerable: the United States (the absolute leader, with over 38% of all vulnerable organizations), the UK, Germany, the Netherlands, and Australia.
What’s also concerning to organizations is that ransomware amounts are going up significantly – recent attacks have demanded over $650,000. That’s in addition to the other costs companies are faced with such as regulatory requirements, legal fees, and loss of customer trust. With ransomware attacks, data is often compromised too. According to IBM, the total cost of this type of attack averages $3.92m.
What Is Ragnarok?
Ragnarok is a ransomware virus which operates by encrypting files on a victim’s computer. The ransomware operates by marking affected files with a .ragnarok extension and then leaves a ransom note called !!ReadMe_To_Decrypt_My_Files.txt in every affected folder on the computer.
The note will often demand that the victim contact the attackers via asgardmaster5@protonmail.com, ragnar0k@ctemplar.com or j.jasonm@yandex.com to get a specific ransom price in Bitcoin. Usually, the price demanded is around 1 Bitcoin per affected computer or 5 Bitcoins for all computers on an infected server.
The Ransom Note
The following is the text of the ransom note included in files encrypted by Ragnarok:
“It’s not late to say happy new year right? but how didn’t i bring a gift as the first time we met 🙂
#what happend to your files?
Unfortunately your files are encrypted with rsa4096 and aes encryption,you won’t decrypt your files without our tool
but don’t worry,you can follow the instructions to decrypt your files
1.obviously you need a decrypt tool so that you can decrypt all of your files
2.contact with us for our btcoin address and send us your DEVICE ID after you decide to pay
3.i will reply a specific price e.g 1.0011 or 0.9099 after i received your mail including your DEVICE ID
4.i will send your personal decrypt tool only work on your own machine after i had check the ransom paystatus
5.you can provide a file less than 1M for us to prove that we can decrypt your files after you paid
6.it’s wise to pay as soon as possible it wont make you more losses
the ransome: 1 btcoin for per machine,5 bitcoins for all machines
how to buy bitcoin and transfer? i think you are very good at googlesearch
asgardmaster5@protonmail.com
ragnar0k@ctemplar.com
j.jasonm@yandex.com
Attention:if you wont pay the ransom in five days, all of your files will be made public on internet and will be deleted
YOUR DEVICE ID:
xx”
How It Works
Ragnarok manages to infect computers and servers by targeting unpatched Citrix ADC servers that are vulnerable to the CVE-2019-19781 exploit. This vulnerability has since been patched, but networks that haven’t installed the update will still be vulnerable.
Once executed on the target system, the Ragnorak ransomware checks the language ID of the installed version of Windows. Ragnarok has a language exclusion list that shuts down the encryption process if the victim’s computer is set to one of the following languages:
- 0419 = Russia
- 0423 = Belarus
- 0444 = Russia
- 0442 = Turkmenistan
- 0422 = Ukraine
- 042c = Azerbaijan
- 0426 = Latvia
- 043f = Kazakhstan
- 0804 = China
This language exclusion list is an interesting clue as to Ragnarok’s origin because ransomware developers based in Russia or the Commonwealth of Independent States (CIS) rarely exclude China from their list.
If the ransomware detects a language ID not found on this list, it begins the attack. Initially, it attempts to disable Windows Defender by adding the following group policies that disable various protection options.
- HKLM\SOFTWARE\Policies\Microsoft\Windows Defender “DisableAntiSpyware” = 1
- HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection “DisableRealtimeMonitoring” = 1
- HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection “DisableBehaviorMonitoring” = 1
- HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection “DisableOnAccessProtection” = 1
If the victim has the Windows 10 Tamper Protection feature turned on, then these methods won’t work and Windows will just ignore the attempt to bypass Defender.
At this point, Ragnarok will try to delete Volume Shadow Copies, thereby preventing the victim from recovering the data, and then disable the Windows automatic startup repair. Ragnarok will then shut off the Windows Firewall by executing the following commands:
- /c vssadmin delete shadows /all /quiet
- /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
- /c bcdedit /set {current} recoveryenabled no
- /c netsh advfirewall set allprofiles state off
Once these preparation tasks are complete, Ragnarok begins data encryption. Much like other ransomware attacks, it uses AES encryption to generate the encryption key, which is then encrypted with a bundled RSA key. This ensures that only the ransomware developers can restore the encryption key.
While many cybersecurity companies are researching Ragnarok extensively, at this point there is no way to break the encryption.
Protecting Against Ragnarok
As previously mentioned, two main steps to protect your system against Ragnarok are:
- Ensuring that any Citrix ADC servers are up to date and the CVE-2019-19781 vulnerability is patched
- Making sure that Windows 10 Tamper Protection is turned on
Malicious ransomware developers are always searching for any kind of vulnerability to exploit. Ragnarok specifically found the CVE-2019-19781 but who knows what else unsavory developers might find in the future.
It is more important than ever to ensure that your IT infrastructure is guarded against any kind of threat, and that your data is protected, wherever it may be.
This is where ITsMine comes in. ITsMine’s Beyond DLP™ is the only Data Loss Prevention solution to protect against ransomware as a last line of defense.
The solution can isolate managed or unmanaged devices when encrypting files on the file storage system (on-premise or in the cloud). It does this by tracking thousands of software mines (or sensors) in the file storage system – and if any device is encrypting data, changing data (as next-generation ransomware is increasingly doing) or detecting data, ITsMine’s Beyond DLP will isolate that device.
Installation is quick and easy, its unique architecture makes it affordable for businesses of all sizes, and most importantly it’s highly effective at keeping you protected.
To find out more about Ragnarok Ransomware, get the most effective DLP solution, or to discuss your DLP needs, get in touch with us.