{
	"id": "fc42b4a8-78ae-4ba1-bbe5-1d6c044f5e11",
	"created_at": "2026-04-06T00:21:14.289422Z",
	"updated_at": "2026-04-10T03:21:14.867243Z",
	"deleted_at": null,
	"sha1_hash": "ff5586d6d9aeea79d0ba7ca8bf0546285b25d867",
	"title": "Ragnarok Ransomware Targets Citrix ADC, Disables Windows Defender",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 814927,
	"plain_text": "Ragnarok Ransomware Targets Citrix ADC, Disables Windows Defender\r\nBy Lawrence Abrams\r\nPublished: 2020-01-28 · Archived: 2026-04-05 23:06:29 UTC\r\nA new ransomware called Ragnarok has been detected being used in targeted attacks against unpatched Citrix ADC servers\r\nvulnerable to the CVE-2019-19781 exploit.\r\nLast week, FireEye released a report about new attacks exploiting the now patched Citrix ADC vulnerability to install the\r\nnew Ragnarok Ransomware on vulnerable networks.\r\nWhen attackers can compromise a Citrix ADC device, various scripts would be downloaded and executed that scan for\r\nWindows computers vulnerable to the EternalBlue vulnerability.\r\nhttps://www.bleepingcomputer.com/news/security/ragnarok-ransomware-targets-citrix-adc-disables-windows-defender/\r\nPage 1 of 7\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/ragnarok-ransomware-targets-citrix-adc-disables-windows-defender/\r\nPage 2 of 7\n\nVisit Advertiser websiteGO TO PAGE\r\nIf detected, the scripts would attempt to exploit the Windows devices, and if successful, inject a DLL that downloads and\r\ninstalls the Ragnarok ransomware onto the exploited device.\r\nAfter Head of SentinelLabs Vitali Kremez extracted the ransomware's configuration file, we were able to discover some\r\ninteresting behavior not commonly seen in other ransomware, which we detail below.\r\nExcludes both Russia and China from encryption\r\nMany ransomware operations are created by developers based out of Russia or other CIS countries.\r\nTo fly under the authority's radar, it is common for ransomware developers to exclude users in Russia and other former\r\nSoviet Union countries from being encrypted if they become infected.\r\nRagnarok operates similarly by checking the installed Windows language ID and if it matches one of the following will not\r\nperform an encryption of the computer.\r\n0419 = Russia\r\n0423 = Belarus\r\n0444 = Russia\r\n0442 = Turkmenistan\r\n0422 = Ukraine\r\n0426 = Latvia\r\n043f = Kazakhstan\r\n042c = Azerbaijan\r\nStrangely, in addition to the CIS countries, Ragnarok will also avoid encrypting victims who have the 0804 language ID for\r\nChina installed.\r\nRansomware excluding both Russia and China at the same time is rare and it is not known if this being done as a decoy for\r\nlaw enforcement or if the ransomware operates out of both countries.\r\nAttempts to disable Windows Defender\r\nAs Microsoft's Windows Defender has become a solid and reliable antivirus and security program, we are finding that\r\nnumerous malware programs are attempting to disable or bypass it to more easily conduct malicious operations.\r\nFor example, we have seen GootKit, TrickBot, and the Novter infections all utilizing some sort of Windows Defender\r\nbypass.\r\nIt is rare, though, to see ransomware infections themselves attempt to disable the functionality of Windows Defender, which\r\nis what Ragnarok attempts.\r\nIt does this by adding the following Windows group policies that disable various protection options in Windows Defender:\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender \"DisableAntiSpyware\" = 1\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection \"DisableRealtimeMonitoring\" = 1\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection \"DisableBehaviorMonitoring\" = 1\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection \"DisableOnAccessProtection\" = 1\r\nThe good news is that if you have Windows 10's Tamper Protection feature enabled, these methods will not work and\r\nWindows will simply ignore any attempts to bypass Windows Defender.\r\nIn addition to Windows Defender, Ragnarok will also attempt to clear Shadow Volume Copies, disable Windows automatic\r\nstartup repair, and turn off the Windows Firewall with the following commands:\r\nhttps://www.bleepingcomputer.com/news/security/ragnarok-ransomware-targets-citrix-adc-disables-windows-defender/\r\nPage 3 of 7\n\ncmd.exe /c vssadmin delete shadows /all /quiet\r\ncmd.exe /c bcdedit /set {current} bootstatuspolicy ignoreallfailures\r\ncmd.exe /c bcdedit /set {current} recoveryenabled no\r\ncmd.exe /c netsh advfirewall set allprofiles state off\r\nStrange Unix file references\r\nAnother strange aspect of this ransomware is the numerous references in the Windows executable to various Unix/Linux file\r\npaths such as:\r\n \"no_name4\": \"/proc\",\r\n \"no_name5\": \"/proc/%s/status\",\r\n \"no_name8\": \"/tmp/crypt.txt\",\r\n \"no_name9\": \"/proc/%s\",\r\n \"rand_path\": \"/dev/random\",\r\n \"home_path\": \"/home/\",\r\nIt is not clear as of yet why these paths are included and what they are used for, but Kremez believes it could be a possible\r\nin-development cross-platform targeting being used by the attackers.\r\n\"I believe \"no_name5\": \"/proc/%s/status\" specifically demonstrates that the actors are checking if the malware is running on\r\nthe system via Unix command \"/proc/[proccess_id]/status.\" Given that Citrix is exploited cross-platform and might be\r\nrunning on both Unix and Windows systems. This specific \"no_name\" setup allows the cross-platform targeting and checks\r\nfor both Windows and Unix systems in mind. By and large, this targeting and any Unix payloads might be still in\r\ndevelopment; however, criminals behind Ragnarok appear to be as modular and adaptive as possible given this configuration\r\nsetup to affect more systems,\" Kremez told BleepingComputer in a conversation.\r\nA standard encryption routine\r\nThe rest of the Ragnarok encryption process is similar to what we see in other ransomware infections.\r\nWhen encrypting files it will use AES encryption and the generated key will be encrypted with a bundled RSA encryption\r\nkey. This makes it so only the ransomware developers can decrypt the victim's encryption key.\r\nWhen scanning for files to encrypt, Ragnarok will skip any files that have the \".exe\", \".dll\", \".sys\",  and \".ragnarok\"\r\nextensions. It will also skip any files whose path contains the following strings:\r\ncontent.ie5\r\n\\temporary internet files\r\n\\local settings\\temp\r\n\\appdata\\local\\temp\r\n\\program files\r\n\\windows\r\n\\programdata\r\n$\r\nEach encrypted file will have the .ragnarok extension appended to the file name. For example, 1.doc would be encrypted\r\nand renamed to 1.doc.ragnarok.\r\nhttps://www.bleepingcomputer.com/news/security/ragnarok-ransomware-targets-citrix-adc-disables-windows-defender/\r\nPage 4 of 7\n\nFolder encrypted by Ragnarok\r\nWhile encrypting the computer, it will create a ransom note in every traversed folder called\r\n!!ReadMe_To_Decrypt_My_Files.txt.\r\nThis ransom note contains instructions on what happened to a victim's files, their encrypted decryption key, and three email\r\naddresses to contact for payment instructions. It is not known how many bitcoins the attackers are demanding for a\r\ndecryptor.\r\nRagnarok Ransom Note\r\nAt this time, it appears that the Ragnarok's encryption can't be broken, but will be further researched for any weaknesses.\r\nIOCs\r\nhttps://www.bleepingcomputer.com/news/security/ragnarok-ransomware-targets-citrix-adc-disables-windows-defender/\r\nPage 5 of 7\n\nHashes:\r\nb7319f3e21c3941fc2a960b67a150b02f1f3389825164140e75dfa023a73d34c\r\nFiles:\r\n!!ReadMe_To_Decrypt_My_Files.txt\r\nC:\\Users\\public\\Files\\rgnk.dvi\r\nEmail addresses:\r\nasgardmaster5@protonmail.com\r\nragnar0k@ctemplar.com\r\nj.jasonm@yandex.com\r\nRansom note text:\r\nIt's not late to say happy new year right? but how didn't i bring a gift as the first time we met :)\r\n#what happend to your files?\r\nUnfortunately your files are encrypted with rsa4096 and aes encryption,you won't decrypt your files without our tool\r\nbut don't worry,you can follow the instructions to decrypt your files\r\n1.obviously you need a decrypt tool so that you can decrypt all of your files\r\n2.contact with us for our btcoin address and send us your DEVICE ID after you decide to pay\r\n3.i will reply a specific price e.g 1.0011 or 0.9099 after i received your mail including your DEVICE ID\r\n4.i will send your personal decrypt tool only work on your own machine after i had check the ransom paystatus\r\n5.you can provide a file less than 1M for us to prove that we can decrypt your files after you paid\r\n6.it's wise to pay as soon as possible it wont make you more losses\r\nthe ransome: 1 btcoin for per machine,5 bitcoins for all machines\r\nhow to buy bitcoin and transfer? i think you are very good at googlesearch\r\nasgardmaster5@protonmail.com\r\nragnar0k@ctemplar.com\r\nj.jasonm@yandex.com\r\nAttention:if you wont pay the ransom in five days, all of your files will be made public on internet and will be deleted\r\nYOUR DEVICE ID:\r\nxx\r\nhttps://www.bleepingcomputer.com/news/security/ragnarok-ransomware-targets-citrix-adc-disables-windows-defender/\r\nPage 6 of 7\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-targets-citrix-adc-disables-windows-defender/\r\nhttps://www.bleepingcomputer.com/news/security/ragnarok-ransomware-targets-citrix-adc-disables-windows-defender/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-targets-citrix-adc-disables-windows-defender/"
	],
	"report_names": [
		"ragnarok-ransomware-targets-citrix-adc-disables-windows-defender"
	],
	"threat_actors": [],
	"ts_created_at": 1775434874,
	"ts_updated_at": 1775791274,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ff5586d6d9aeea79d0ba7ca8bf0546285b25d867.pdf",
		"text": "https://archive.orkl.eu/ff5586d6d9aeea79d0ba7ca8bf0546285b25d867.txt",
		"img": "https://archive.orkl.eu/ff5586d6d9aeea79d0ba7ca8bf0546285b25d867.jpg"
	}
}