Ragnarok: response and recovery actions

The first discovered sample of the Ragnarok ransomware (also known as Asnarok) dates  back to the end of 2019, first appearing in threat reports on January 1, 2020.

Its operators followed a business model that consisted of selecting large entities, seeking to maximize the probability of receiving payments. To this end , they practiced double extortion, threatening the erasure and disclosure of the compromised data if payment was not made.

In August 2021, they ceased all their activities and released their private keys along with instructions to decrypt the compromised data.

Characteristics

Motivation  
Like most ransomware, it was designed with the primary purpose of extorting victims for financial gain, infiltrating victims' systems, to encrypt their data and then demand payment, usually in cryptocurrencies (usually bitcoins), to unlock them and not disclose them publicly.

Cyber criminals implemented a mechanism to check the target system's language settings from the Window registry’s:

The attackers were looking for English- or French-speaking targets. To do this, they created a whitelist of some languages, such as Russian, Chinese, or Spanish, to prevent the malware from running in countries where these languages predominated. The real motive is unknown, but it could be a way to avoid drawing the attention of law enforcement in the countries where criminal groups originate or to target regions with a greater willingness to pay ransoms.

- Countries on the Ragnarok whitelist - Source

Evasion of detection and recovery  
Ragnarok makes use of several common techniques to bypass anti-malware mechanisms, such as:

• Auto-deletion of initial files, deleting the initial files of the malware and working mainly in memory.
• Disabling Windows Defender to bypass detection by changing values in the Windows registry.

  
- Disabling Windows Defender - Source -

• Disabling the firewall in all profiles of the target system, to prevent blocking of network connections established by the malware.

 
- Disabling Windows Firewall - Source -

• Elimination of shadow copies, or backup snapshots, taken by Windows as a protection mechanism, to prevent the system from being restored to a pre-infection state.

- Removing shadow copies - Source -

• Disabling recovery and safe mode, modifying boot configuration data to prevent the system from initiating these modes

  

- Disabling Recovery and Failover Modes - Source -

Encryption

Ragnarok uses a self-injection method to unpack a DLL library called cry_demo.dll. This file is particularly important as it contains the code and logic needed to execute the encryption of the victim's files.

The encryption process is done in a fairly systematic way. The ransomware travers’s system directories, selecting target files to encrypt using the AES 256 algorithm. This operation is performed with a randomly generated symmetric key, ensuring that each file is uniquely encrypted.

Then, looking to make the decryption process even more difficult, it encrypts this symmetric key, used for encryption with RSA 4096, using the corresponding public key. This process adds an extra layer of encryption, as the symmetric key, needed to decrypt the files, can only be decrypted by the RSA private key, which is in the possession of the attackers.

Finally, change the extension of encrypted files to ".thor" or ".ragnarok". This final step symbolizes that the encryption process is complete and that the files are only accessible to those in possession of the decryption key.

Infection and spread  
Initial reports of the Ragnarok campaigns indicated the existence of two different attack vectors:

• Path traversal on Citrix ADC (CVE-2019-19781 ): Allows arbitrary code execution on the host. Once exploited, the attacker downloads and executes a bash script called "ld.sh" which in turn downloads a series of Python scripts and additional resources to launch the attack. After downloading, the "de.py" script unzips and decrypts the "piz" file. Lan", which is a zip file containing exploitation scripts for the well-known Windows EternalBlue vulnerability (CVE-2017-0144), the exploitation of which allows remote code execution in the Server Message Block (SMB) service in Windows, allowing access to vulnerable Windows systems on the network of the initially affected host. This same vulnerability was used by WannaCry a few years ago and is often used to spread the threat as much as possible within the network.

- Charger ld.sh - Source -

• SQL injection into Sophos Firewall - CVE-2020-12271 . Using a SQL injection, in PostgreSQL, a file named "Install.sh" is downloaded and executed from "hxxps://sophosfirewallupdate.com", which attempts to manipulate the database and download several additional files (such as "lp.sh"). In addition, it adds persistence in a service file used by the firewall to maintain remote access each time the system starts.  
  Also, the IP address of the system is replaced, which is no longer visible on the firewall interface. The payload is in an executable binary called "b", which spreads the EternalBlue threat to the rest of the Windows systems on the network.

  
- Effect of the attack after editing  the Sophos Firewall database. Source

Prevention and response

The best way to prevent an attack that exploits a vulnerability is to apply security patches and keep the software updated to the latest version available. To do this, it is advisable to track and monitor vulnerabilities, through security warnings or bulletins published by manufacturers and reference CERT, which allows early detection of them. For this specific case, it will be essential to apply security patches that fix the vulnerabilities of Shopos, Citrix and Windows.  
In addition, making backups is another recommended measure to anticipate the effects of a possible case of Ragnarok attack, since it would allow us to recover the information in case of being compromised. However, this would not prevent the possible disclosure of such information by the attacker.

As a response measure, the No More Ransom project provides a decryption tool, published and documented by Emsisoft, after the Ragnarok operator released his private key. It is easy to use, although it does not seem like all variants of Ragnarok are supported. The disinfection process would be as follows:

• Download, accept the terms, and install the program:  
   

 
- Ragnarok Decryption Tool installation screen -

• Attach the ransom note of the affected system to the tool. This step fails if the attack variant is not supported

   
  - The initial options screen of the tool -

   

   
  - Ransom note verification screen -

• After selecting the folders with the affected files, the tool begins the decryption process. The tool allows the option to save a copy of the encrypted files.

  

  - Options screen -

   

  

- Scan completion screen -

• At the conclusion of the process, a report of the decryption process is presented, pointing out any problems that have been found. This information can be recorded in a log using the "save log" button to share with other researchers or stored as evidence of the process.

Conclusions

During the well-known Ragnarok campaigns, the exploitation of vulnerabilities in Sophos and Citrix was used as the main vector. This demonstrates the critical need for organizations to keep their systems up-to-date and protected against these threats. It is important to remember that while decryption tools can be useful in some circumstances, the best defense against ransomware is prevention, which includes adopting good security practices such as regular updates, data backups, and good cybersecurity training and awareness.

The story of Ragnarok serves as a powerful reminder of the importance of cybersecurity and how a threat can emerge, evolve, and eventually fade away, only to be replaced by another new threat.