Ragnarok Ransomware targets Citrix ADC, stops Defender

[German]For administrators using unpatched Citrix ADC/Netscaler appliances, it is now five past twelve. The Ragnarok ransomware targets unpatched Citrix ADC installations and can stop Windows Defender, security experts found out.


Citrix ADC: The Shitrix problem

Actually, this should not be a topic at all, because I reported about the vulnerability CVE-2019-19781 in the Citrix ADC (Application Delivery Controller, formerly Netscaler), which has been publicly known since December 17, 2019, in the article Vulnerability in Citrix Apps put companies at risk (Dec. 24, 2019).

And there were several security warnings on several channels and here within my blogs because proof of concept exploits became public. Some Citrix users who didn't react probably got attacked (see Ransomware: Are Potsdam and Gedia Shitrix victims?In the meantime Citrix has released firmware updates for patching the vulnerability for all affected products and there is a scanner for testing (see Citrix vulnerability: New updates and scanners for testing).

Ransomware Ragnarok targets Citrix ADC

Now cyber criminals have probably used the first ransomware targeting the Citrix ADC vulnerability. The ransomware, called Ragnarok by security researchers, can also disable Windows Defender on Windows machines. I became aware of the story via the following tweet from colleague Lawrence Abrams.

If attackers succeed in compromising a Citrix ADC device, various scripts are downloaded and executed. These scripts search the compromised Citrix ADC's network for Windows computers that are vulnerable to the EternalBlue vulnerability.


If such machines are discovered, the scripts attempt to exploit vulnerabilities in Windows and, if successful, inject a DLL into the operating system. If the DLL is executed, it downloads the Ragnarok ransomware and installs it on the machine. Then the files are encrypted and ransom demands are made.

After the head of SentinelLabs, Vitali Kremez, had extracted the configuration file of the ransomware Ragnarok, he discovered some unusual new features.

According to the above tweet, ransomware can disable Windows Defender via a registry entry – but this no longer works for Defender Tamper Protection in Windows 10. It is also interesting that the ransomware does not encrypt systems from the Russian sphere of influence and from China. The Windows Language ID is used to omit certain countries.

The ransomware not only encrypts the accessible files, but also deletes the volume shadow copies, disables the Windows startup repair and also the Windows Firewall. It is unclear why the ransomware contains references to Linux directories. Possibly one wants to cover Citrix installations across platform boundaries (Unix/Windows). Further details, which are only relevant for the analysis of a cyber incident, can be found at Bleeping Computer.

Similar articles:
Vulnerability in Citrix Apps put companies at risk
Ransomware: Are Potsdam and Gedia Shitrix victims?
Citrix vulnerability: New updates and scanners for testing

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *