Ragnarok ransomware is leveraging unpatched Citrix ADC servers and Windows computers to attack its victims.
Citrix have now released a patch for CVE-2019-19781 and made it available to all clients – regardless of the status of their support contract. However, unpatched Citrix systems are being actively targeted with Ragnarok according to security firm Fireye.
CVE-2019-19781 is a critical vulnerability which enables an unauthenticated attacker to access the internal network via an unpatched Citrix ADC server.
Once the vulnerable Citrix server has been compromised, the malware attempts to use the EternalBlue vulnerability to target Windows computers across the network in order to install the ransomware.
Additionally Ragnarok attempts to inject new registry keys to disable Windows Defender, turn off all the Windows Defender firewall rules, disable start-up repair and delete all Shadow Volume copies. These attempts can be prevented if the Windows 10 Tamper Protection feature is active.
The threat actors behind this sophisticated campaign are making use of multiple vulnerabilities and techniques in order to achieve their ends by chaining several exploits and attempting to reconfigure the defensive tools expected on the target computers.
Citrix and Fireye have a tool available which will determine if your Citrix system was compromised prior to patching.
“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”
Aim Ltd Chief Technology Officer (CTO)