Malware analysis: Ragnarok ransomware
Ragnarok is recent ransomware used in targeted attacks against unpatched Citrix ADC servers vulnerable to the CVE-2019-19781 vulnerability. This article will analyze the details of this ransomware, how it works and how to prevent it.
Ragnarok ransomware background
The security firm FireEye released a report about a new ransomware called Ragnarok, which criminals use to attack internal networks after compromising Citrix ADC servers vulnerable to the CVE-2019-19781 — flaw that can be abused to execute arbitrary code.
The first stage of the ransomware is a PE file responsible for injecting into the memory a Windows DLL — the 2nd stage — packed inside the binary. The ransomware DLL itself is named cry_demo.dll, which contains the malware configuration, information regarding the encryption activities, whitelisted and target countries, and the ransom note.
Ragnarok: 1st stage analysis
From the analysis of the binary file, we can observe that inside the .data section, there is a hardcoded PE file in the offset 0x00011E20 with the size 93124. This detail reveals that a 2nd file, a DLL, will be injected into the memory, decrypted and the execution flow transferred to it.
Figure 1: First binary reveals another file hardcoded inside the .data section.
After executing the loader, the binary loads the DLL from the .data section into the memory using the HeapAlloc() call. Next, parts of the string are deobfuscated using a bitwise NOT operation, and the code is injected with the VirtualAlloc() as presented in Figure 2.
Figure 2: Hardcoded DLL injected into the memory (Ragnarok itself).
The new DLL (Ragnarok ransomware) has the original name “cry_demo.dll.” It was built with a nonsense timestamp and exports only a function: “start.” This is its entry point to start the infection chain.
Figure 3: Details about the Ragnarok DLL injected into the memory.
Ragnarok DLL
At first glance, the DLL has hardcoded some interesting strings mainly found and related to the file encryption mechanism, namely:
- sprintf() and swprintf(); and
- MoveFileW(), CreateFileA(), WriteFile() and ReadFile();
Figure 4: Strings found during the Ragnarok DLL analysis.
Other interesting strings are the “key,” “value” and “language.” As shown below, the ransomware starts by obtaining the system language to validate it is within a hardcoded allowlist provided by the ransomware developers.
The strings “ip,” “port,” “GET” and “HTTP/1.1” are clear indicators this piece of malware will send some information to its C2 during the infection chain.
Finally, the ransomware seems to delete the shadow copies after damaging the target machine by observing the strings “cmd_shadow” and “cmd_shadow1” inside the DLL file. However, some information will still look obfuscated. The ransomware configuration is decrypted in run-time.
Digging into the details
During the execution of the ransomware, the ransomware configuration is decrypted as a JSON object containing the different fields.
Figure 5: Ragnarok configuration in JSON format.
Some interesting key/values available on the JSON file are:
calc, white and black: target files’ extensions to encrypt and extensions to bypass during the encryption process.
Figure 6: Target and allowlisted extensions.
ip and port: C2 IP address and port.
Figure 6: Ragnarok IP address and port.
The ransomware sends an HTTP request to its C2 server (IP and port contained in the configuration fields). The request is composed of the hostname and private IP address fields and the “Start“ parameter, indicating the beginning of the encryption process.
name: the name of the ransomware note.
Figure 7: Encrypted files with the extension .thor.
The malware encrypts the files with RSA 4096 and AES cryptographic algorithms. The file extension “.thor” is appended to the damaged files, and a new file called “!!Read_Me.html” is created into each encrypted folder. This HTML file contains the ransomware note and the other details criminals provide to convince the victims to pay to recover the original files.
Figure 8: Ransomware note of Ragnarok.
proc: processes to terminate during the ransomware execution. In detail, the proc field contains a list of processes that can lock some files, and the ransomware needs to kill those processes before starting the encryption activity.
Figure 9: Processes terminated by Ragnarok during the encryption process.
key: registry paths with processes to disable (firewall, shadow copies and so on).
The ransomware executes the operations present in the cmd_shadow, cmd_shadow1, cmd_boot, cmd_recovery and cmd_firewall fields according to the operating system architecture. For instance, the execution of the cmd_shadow command will delete the Windows shadow copies. The firewall is also disabled, and some options are added to the boot’s settings. Additionally, the ransomware also disables the Windows Defender.
Figure 10: Operations performed by Ragnarok during its execution. The shadow copies are deleted, and Windows Defender and firewall are disabled.
language: allowlisted countries on the ransomware configuration.
During its execution, the ransomware performs some queries to obtain additional information from the Windows registry. The ransomware terminates its execution if any of the following languages’ codes match.
Figure 11: Allowlisted language codes contained inside the ransomware config. If any language matches, the ransomware terminates its execution.
api: API hashing (the original call names).
Many Windows API calls are mapped during run-time. This is a technique used by malware developers to evade AV detection.
Figure 12: Part of the API names available on the configuration file.
At the end of the encryption process, the ransomware sends an HTTP request containing a parameter named end informing its C2 server that the encryption process has been terminated.
Become a certified reverse engineer!
Final thoughts
Ransomware attacks like Ragnarok are now common. The general recommendations for prevention against them are relatively standard, namely:
- Create a security mindset and keep operating systems, software and security appliances up to date.
- Create different backup zones: offline and online.
- Be aware that email is the most used vehicle to distribute malware in the wild. Thus, email monitoring and spam engines are the first layer to block external threats, including ransomware.
- Use a VPN channel to protect internal networks, namely, exposed RDP services.
- Promote a continuous employees training program around the basics of cybersecurity.
Sources
- Nice Try: 501 (Ransomware) Not Implemented, FireEye
- Ragnarok, BleepingComputer
- Exam Pass Guarantee
- Live expert instruction
- Hands-on labs
- CREA exam voucher
In this Series
- Malware analysis: Ragnarok ransomware
- How AsyncRAT is escaping security defenses
- Chrome extensions used to steal users' secrets
- Luna ransomware encrypts Windows, Linux and ESXi systems
- Bahamut Android malware and its new features
- LockBit 3.0 ransomware analysis
- AstraLocker releases the ransomware decryptors
- Analysis of Nokoyawa ransomware
- Goodwill ransomware group is propagating unusual demands to get the decryption key
- Dangerous IoT EnemyBot botnet is now attacking other targets
- Fileless malware uses event logger to hide malware
- Nerbian RAT Using COVID-19 templates
- Popular evasion techniques in the malware landscape
- Sunnyday ransomware analysis
- 9 online tools for malware analysis
- Blackguard malware analysis
- Behind Conti: Leaks reveal inner workings of ransomware group
- ZLoader: What it is, how it works and how to prevent it | Malware spotlight [2022 update]
- WhisperGate: A destructive malware to destroy Ukraine computer systems
- Electron Bot Malware is disseminated via Microsoft's Official Store and is capable of controlling social media apps
- SockDetour: the backdoor impacting U.S. defense contractors
- HermeticWiper malware used against Ukraine
- MyloBot 2022: A botnet that only sends extortion emails
- Mars Stealer malware analysis
- How to remove ransomware: Best free decryption tools and resources
- Purple Fox rootkit and how it has been disseminated in the wild
- Deadbolt ransomware: The real weapon against IoT devices
- Log4j - the remote code execution vulnerability that stopped the world
- Rook ransomware analysis
- Modus operandi of BlackByte ransomware
- Emotet malware returns
- Mekotio banker trojan returns with new TTP
- Android malware BrazKing returns
- Malware instrumentation with Frida
- Malware analysis arsenal: Top 15 tools
- Redline stealer malware: Full analysis
- A full analysis of the BlackMatter ransomware
- A full analysis of Horus Eyes RAT
- REvil ransomware: Lessons learned from a major supply chain attack
- Pingback malware: How it works and how to prevent it
- Android malware worm auto-spreads via WhatsApp messages
- Taidoor malware: what it is, how it works and how to prevent it | malware spotlight
- SUNBURST backdoor malware: What it is, how it works, and how to prevent it | Malware spotlight
- ZHtrap botnet: How it works and how to prevent it
- DearCry ransomware: How it works and how to prevent it
- How criminals are using Windows Background Intelligent Transfer Service
- How the Javali trojan weaponizes Avira antivirus
- HelloKitty: The ransomware affecting CD Projekt Red and Cyberpunk 2077
- DreamBus Botnet: An analysis
- Kobalos malware: A complex Linux threat
- What is Operation Dream Job by Lazarus?
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Malware analysis
Malware analysis
Malware analysis
Malware analysis