Jump to content
Login new information ×
Login new information

Ragnarok Ransomware Exploits Citrix Vulnerability To Target Vulnerable Servers

duddy

By duddy
in Security & Privacy News

Recommended Posts

duddy

duddy

Posted
Posted

Ragnarok Ransomware Exploiting Citrix

 

lQUWx2r.jpg

 

Ragnarok Ransomware Exploiting Citrix
 

Researchers have found new ransomware involved in targeting vulnerable Citrix ADC servers. As revealed, the cybercriminals are exploiting the infamous Citrix vulnerability (CVE-2019-19781) to attack vulnerable machines.

 

The attackers first compromise the vulnerable Citrix ADC devices. If successful, they then download scripts to scan for Windows machines vulnerable to EternalBlue. Then, upon finding vulnerable devices, the script injects a DLL to download and run Ragnarok ransomware. While it seems like typical ransomware, it bears some significant differences as well which makes it unique.

 

At first, it excludes Russia and China from encryption attacks. For this, it checks the Windows language ID. Next, it attempts to disable Microsoft’s Windows Defender to bypass any security check. It also tends to disable automatic Startup repair, clears Shadow Volume Copies, and shuts down Windows Firewall.

 

Though, the encryption process of Ragnarok is similar to other ransomware. That is, it uses AES encryption for encrypting the files, whilst encrypting the generated key with bundled RSA encryption key. It also renames the encrypted files by adding a ‘.ragnarok’ extension. While scanning the data, it skips any system files or those with ‘.exe’, ‘.dll’, ‘.sys’, along with some other specified file paths

Citrix Vulnerability Patch Released

 

For now, it is not possible to remedy a Ragnarok encryption attack. Consequently, users need to be very careful about their security. Windows users can certainly prevent this attack by activating the ‘Microsoft Tamper Protection’ in Windows 10 that prevents changes to Windows Defender. Users must ensure patching the Citrix vulnerability in the first place to avoid Ragnarok and other potential attacks that exploit the flaw.

 

Source

Link to comment
Share on other sites
  • Replies 3
  • Views 767
  • Created
  • Last Reply
Matrix

Matrix

Posted
Posted

Formatting and Paragraphing Corrected


Your Original Post before correction made e.g View with Nsane Dark Theme. 

Spoiler

Ragnarok Ransomware Exploiting Citrix

 

ransomware-100739759-large.3x2-700x445.jpg

 

 

Ragnarok Ransomware Exploiting Citrix
Researchers have found new ransomware involved in targeting vulnerable Citrix ADC servers. As revealed, the cybercriminals are exploiting the infamous Citrix vulnerability (CVE-2019-19781) to attack vulnerable machines. The attackers first compromise the vulnerable Citrix ADC devices. If successful, they then download scripts to scan for Windows machines vulnerable to EternalBlue. Then, upon finding vulnerable devices, the script injects a DLL to download and run Ragnarok ransomware. While it seems like typical ransomware, it bears some significant differences as well which makes it unique. At first, it excludes Russia and China from encryption attacks. For this, it checks the Windows language ID. Next, it attempts to disable Microsoft’s Windows Defender to bypass any security check. It also tends to disable automatic Startup repair, clears Shadow Volume Copies, and shuts down Windows Firewall. Though, the encryption process of Ragnarok is similar to other ransomware. That is, it uses AES encryption for encrypting the files, whilst encrypting the generated key with bundled RSA encryption key. It also renames the encrypted files by adding a ‘.ragnarok’ extension. While scanning the data, it skips any system files or those with ‘.exe’, ‘.dll’, ‘.sys’, along with some other specified file paths

Citrix Vulnerability Patch Released

For now, it is not possible to remedy a Ragnarok encryption attack. Consequently, users need to be very careful about their security. Windows users can certainly prevent this attack by activating the ‘Microsoft Tamper Protection’ in Windows 10 that prevents changes to Windows Defender. Users must ensure patching the Citrix vulnerability in the first place to avoid Ragnarok and other potential attacks that exploit the flaw.

 

Source

 

Link to comment
Share on other sites
duddy

duddy

Posted
  • Author
Posted
18 hours ago, Mach1 said:

Formatting and Paragraphing Corrected


Your Original Post before correction made e.g View with Nsane Dark Theme. 

  Hide contents

Ragnarok Ransomware Exploiting Citrix

 

ransomware-100739759-large.3x2-700x445.jpg

 

 

Ragnarok Ransomware Exploiting Citrix
Researchers have found new ransomware involved in targeting vulnerable Citrix ADC servers. As revealed, the cybercriminals are exploiting the infamous Citrix vulnerability (CVE-2019-19781) to attack vulnerable machines. The attackers first compromise the vulnerable Citrix ADC devices. If successful, they then download scripts to scan for Windows machines vulnerable to EternalBlue. Then, upon finding vulnerable devices, the script injects a DLL to download and run Ragnarok ransomware. While it seems like typical ransomware, it bears some significant differences as well which makes it unique. At first, it excludes Russia and China from encryption attacks. For this, it checks the Windows language ID. Next, it attempts to disable Microsoft’s Windows Defender to bypass any security check. It also tends to disable automatic Startup repair, clears Shadow Volume Copies, and shuts down Windows Firewall. Though, the encryption process of Ragnarok is similar to other ransomware. That is, it uses AES encryption for encrypting the files, whilst encrypting the generated key with bundled RSA encryption key. It also renames the encrypted files by adding a ‘.ragnarok’ extension. While scanning the data, it skips any system files or those with ‘.exe’, ‘.dll’, ‘.sys’, along with some other specified file paths

Citrix Vulnerability Patch Released

For now, it is not possible to remedy a Ragnarok encryption attack. Consequently, users need to be very careful about their security. Windows users can certainly prevent this attack by activating the ‘Microsoft Tamper Protection’ in Windows 10 that prevents changes to Windows Defender. Users must ensure patching the Citrix vulnerability in the first place to avoid Ragnarok and other potential attacks that exploit the flaw.

 

Source

 

Thanks bro @Mach1for your sustained efforts to make corrections.

Link to comment
Share on other sites
duddy

duddy

Posted
  • Author
Posted
18 hours ago, Mach1 said:

Formatting and Paragraphing Corrected


Your Original Post before correction made e.g View with Nsane Dark Theme. 

  Reveal hidden contents

Ragnarok Ransomware Exploiting Citrix

 

ransomware-100739759-large.3x2-700x445.jpg

 

 

Ragnarok Ransomware Exploiting Citrix
Researchers have found new ransomware involved in targeting vulnerable Citrix ADC servers. As revealed, the cybercriminals are exploiting the infamous Citrix vulnerability (CVE-2019-19781) to attack vulnerable machines. The attackers first compromise the vulnerable Citrix ADC devices. If successful, they then download scripts to scan for Windows machines vulnerable to EternalBlue. Then, upon finding vulnerable devices, the script injects a DLL to download and run Ragnarok ransomware. While it seems like typical ransomware, it bears some significant differences as well which makes it unique. At first, it excludes Russia and China from encryption attacks. For this, it checks the Windows language ID. Next, it attempts to disable Microsoft’s Windows Defender to bypass any security check. It also tends to disable automatic Startup repair, clears Shadow Volume Copies, and shuts down Windows Firewall. Though, the encryption process of Ragnarok is similar to other ransomware. That is, it uses AES encryption for encrypting the files, whilst encrypting the generated key with bundled RSA encryption key. It also renames the encrypted files by adding a ‘.ragnarok’ extension. While scanning the data, it skips any system files or those with ‘.exe’, ‘.dll’, ‘.sys’, along with some other specified file paths

Citrix Vulnerability Patch Released

For now, it is not possible to remedy a Ragnarok encryption attack. Consequently, users need to be very careful about their security. Windows users can certainly prevent this attack by activating the ‘Microsoft Tamper Protection’ in Windows 10 that prevents changes to Windows Defender. Users must ensure patching the Citrix vulnerability in the first place to avoid Ragnarok and other potential attacks that exploit the flaw.

 

Source

 

Promise to improve upon the formatting issues as far as I am able to. Thanks for being a mentor dear @Mach1! :sorry:

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...