Technical University Darmstadt Victim of Ragnarok Ransomware?

[German]Has TU-Darmstadt fallen victim to a Ragnarok ransomware attack? At least that is what information I received from a security researcher suggests.


A web search for the terms TU-Darmstadt and Ragnarok or Ransomware did not turn up anything. But a security researcher emailed me about it (and I found the info on a website that reports on hacks – though I won't link that one for now, since the site penetratingly tries to install a Chrome extension).

Ragnarok group leaks data

I received a screenshot of the Ragnarok Group leak page from security vendor EmsiSoft. Here is an excerpt from that screenshot, dated March 25, 2021, which describes TU Darmstadt  and lists an excerpt of data that was pulled from a share (drive Z) of a Windows system.

Ragnarok Leak TU Darmstadt

I have looked at the data in the screenshot I received. It is a directory listing of a network share, where files of students, PhD students and the secretariat are listed. From the file list, I'm guessing that the ransomware attack occurred on a Windows client in a chemistry department lab. This is because there are references to MC in document names, which is likely to stand for Macromolecular Chemistry. 

Darmstadt University of Technology has 4,974 employees and around 25,000 students. Its annual budget in 2019 was 453.2 million euros. However, the ransomware group writes something like $275.81 million on its site.

Looking at the published data and TU's budget, the chances of the Ragnarok group collecting a ransom should be very slim. I don't know the full extent of the captured documents – but what I have seen is not that particularly interesting. At most, it's unsightly for grad students or undergrads to have files encrypted. Moreover, it suggests that the ransomware attack must have been very limited – at any rate, I have not been able to find anything on the TU websites regarding the ransomware attack. 


Background on the Ragnarok ransomware

The name of the ransomware family is borrowed from Norse languages – the malware encrypts files with .thor- or .ragnarok_cry extensions (see also). I had reported about the ransomware in January 2020 in the post Ragnarok Ransomware targets Citrix ADC, stops Defender. This ransomware was the first to target vulnerable Citrix ADC installations.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *