ragnarok

General

Target

since1969.bin
Size

210KB
Sample

230919-qceksabb66
MD5

48452dd2506831d0b340e45b08799623
SHA1

74993759f49d123ec334111f29cdbbf2e0276b58
SHA256

b7319f3e21c3941fc2a960b67a150b02f1f3389825164140e75dfa023a73d34c
SHA512

5a0b4f5884ae2d302661b0581ab2475c1403555af0f531e1d0c29e240454dfe9979a32979d30856c5ad5da0ea1ffac1ec2c16eb6fa07b7ece74e069fcf2e5958
SSDEEP

3072:LNWPHNek0igmpXlZwbvsBQUbtqJQW7xAZ22yz6VoSYMFZoJ8lsPGKLpZnoHq86fa:RGSigm1lmbaBp7O6qSYCiNPhzHa

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Documents\!!ReadMe_To_Decrypt_My_Files.txt

Family

ragnarok

Ransom Note

It's not late to say happy new year right? but how didn't i bring a gift as the first time we met :) #what happend to your files? Unfortunately your files are encrypted with rsa4096 and aes encryption,you won't decrypt your files without our tool but don't worry,you can follow the instructions to decrypt your files 1.obviously you need a decrypt tool so that you can decrypt all of your files 2.contact with us for our btcoin address and send us your DEVICE ID after you decide to pay 3.i will reply a specific price e.g 1.0011 or 0.9099 after i received your mail including your DEVICE ID 4.i will send your personal decrypt tool only work on your own machine after i had check the ransom paystatus 5.you can provide a file less than 1M for us to prove that we can decrypt your files after you paid 6.it's wise to pay as soon as possible it wont make you more losses the ransome: 1 btcoin for per machine,5 bitcoins for all machines how to buy bitcoin and transfer? i think you are very good at googlesearch [email protected] [email protected] [email protected] Attention:if you wont pay the ransom in five days, all of your files will be made public on internet and will be deleted YOUR DEVICE ID: =AALsY1ULRUUXh1TsMjQ3EDN4QTQ3MzQ0gTQxYDNxETNEJjM2IDM3UkN4QkMDVUM0EkNChTMEF0NFZ0MykTOzMkQBNENygjQ2QTOGRDNEZjN2gTQFZTN3cTRCRDM2kDRzETMCZ0NCFTOFNTO2IUQxYEN5EDNBFzMzU0Q2gzQxQkRxU0NCJEO1EERBJjRGVTR2gzMxEUOFJjQDN0NDhjQCZ0NzIDREV0MBVEMBN0MDNUOxETO4QjNERUMxM0Q0MTQ4cTNBVkQzkTQ2ATOyYTN5gzQCNDOxMkNBZDO5ETM3U0NDRTO2gDR3EkQwcDNGJjN4IDOGNkQFZUQ4IDR1QERENkN2kTQwQjMGZkR4UUR2QDMFNUQzIENGNUMCZTR1kDRDJkNGJkM5IUO4MTMDdDRxYTQ3QUNEJkQ3IkR5IDR5gTMzkzNFdzQyEzMBNjQygzQyEkMwQTRyIUOGNUMEJkQ5YTM2IUQ3EUR4QzMDZEOENDRDFDRGZkMyQTQzMjQwcDRzEzQBZDN4QzM5EjQxQUQ4Q0MGNTMzIkQCdjMElDRzQkNzIDOzQDR0IUO5cDOCdzM5YkQ2EUNFJjNzYDO3QDNyATQ0EzM1kDMxM0QCFzQ3cDO3gDN0QjMEVkQGVzNDREN0Y0MDZTMBhTN1YTNzYjNDNzQCRUMDVDREdTN2IDMENTQ5UjR5UDN5QTM2I0N0QkN0IzN0YTQ2Q0Q3U0MCljR3YENyQENyATMyIjQ4UkN3MTQ1E0N4UTN0QTO5QTMxETQDFTQCVDOFNER5YDN3gzMxYURxMTM5IkRBRDRFJDNFN0MzIERzMzM4gjMzEkMyEUQ0QjNDlDO0ITMzMzN4QkNyATO0kzN2YkNyIkNzIzM4MUN4MTNBlDOwEUM3MTM1gzNwYTM4MEO4EDMzcjM0AjRBNURDJURzQTOzUjQ1QUO2gzN5EEOzcjMCF0MEhTQ1czQDdjN5AjM4QUQCZDN0M0M1ITR0kTN0YjQ1UDNCJUNFF0Q0AjR0YzN5kTQ1QDN5IEMCRjR3gDO0MDOEZDMCFERDVTR5IEO4gjMGNERFV0N5EDRGdTM4IDREFURBFkR2gTO5QDO2EkNGBTN3IUR4UkNBVENChzQzIzNyUDOBNkQDNEO2UUQ5gzQFdTO4cTOyITN2AjM4MjQ0YkNGlDR0QTM3IDNFRkRGJDODNTOEZ0M2IkN5EjMxIENEZkQDVUNEhTN5IDNFZUOzMkN4QDNCVkMEZEOCZUOCFkNFhjR0YTRzgzM4IUM5kjRCdzMBhTNCNDRBZkQFZUMzgTR4EDOygzQ1AjMDFDMFZkQ2EEMyEUO1kzQxgTQwEDR0YzM

Emails

[email protected]

Targets

- Target
  
  since1969.bin
- Size
  
  210KB
- MD5
  
  48452dd2506831d0b340e45b08799623
- SHA1
  
  74993759f49d123ec334111f29cdbbf2e0276b58
- SHA256
  
  b7319f3e21c3941fc2a960b67a150b02f1f3389825164140e75dfa023a73d34c
- SHA512
  
  5a0b4f5884ae2d302661b0581ab2475c1403555af0f531e1d0c29e240454dfe9979a32979d30856c5ad5da0ea1ffac1ec2c16eb6fa07b7ece74e069fcf2e5958
- SSDEEP
  
  3072:LNWPHNek0igmpXlZwbvsBQUbtqJQW7xAZ22yz6VoSYMFZoJ8lsPGKLpZnoHq86fa:RGSigm1lmbaBp7O6qSYCiNPhzHa
Score

10^/10

ragnarok evasion ransomware spyware stealer
- Ragnarok
  Ransomware family deployed from Citrix servers infected via CVE-2019-19781.
  ransomware ragnarok
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (187) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Modifies Windows Firewall
  evasion
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
behavioral1