RAGNAROK ransomware on a rise in 2020Threat SummaryThe behavior of the ransomware explainedThe ransomware targets unpatched Citrix ADC serversRemove RAGNAROK ransomware virus safely

RAGNAROK ransomware asks for approximately 1 Bitcoin for one infected PC, or 5 Bitcoins for computers on infected server. As specified in the ransom note, the attackers will specify an exact sum of money in Bitcoin after receiving victim’s ID. Currently, there are no known ways to decrypt .ragnarok extension files for free. Victims who have data backups should remove the virus as soon as possible and restore data using external data storage devices.

Threat Summary

The behavior of the ransomware explained

Once executed on the target system, Ragnorak file virus first checks the language ID of Windows. It has a language exclusion list that shuts down the malicious process and doesn’t perform encryption if the victim’s PC is set to one of the listed languages:

0419 = Russia;0423 = Belarus;0444 = Russia;0442 = Turkmenistan;0422 = Ukraine;042c = Azerbaijan;0426 = Latvia;043f = Kazakhstan;0804 = China.

It must be noted that ransomware developers who are based in Russia or other CIS countries rarely exclude China. If the ransomware detects any other language ID, it gives a greenlight for the attack to begin. The first thing that it does is attempt to disable Windows Defender by adding group policies in Windows Registry. The ransomware injects the following rules:

HKLM\SOFTWARE\Policies\Microsoft\Windows Defender “DisableAntiSpyware” = 1 HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection “DisableRealtimeMonitoring” = 1 HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection “DisableBehaviorMonitoring” = 1 HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection “DisableOnAccessProtection” = 1

These attempts will be unsuccessful if the victim has Windows 10 Tamper Protection feature on. Next, Ragnarok malware tries to delete Volume Shadow Copies (to prevent data recovery), then disables Windows auto startup repair feature, and turns off Windows Firewall by executing these commands via cmd:

/c vssadmin delete shadows /all /quiet /c bcdedit /set {current} bootstatuspolicy ignoreallfailures /c bcdedit /set {current} recoveryenabled no /c netsh advfirewall set allprofiles state off

When the preparation tasks are completed, the ransomware begins data encryption. It uses AES encryption to generate the encryption key, which is then encrypted with a packed RSA4096 key. This ensures that only the virus’ developers can restore the encryption key. The ransomware skips executive files, also .dll and .sys files, and the files that have already been encrypted by the virus (those with .ragnarok extension). As usual, the ransomware bypasses files essential for operating system to function.

The ransomware targets unpatched Citrix ADC servers

RAGNORAK virus is known to be targetting Citrix ADC servers with unpatched vulnerability which is known under CVE-2019-19781 code. Although the vulnerability is now patched, networks who fail to install the update are open to attacks and the said ransomware infection. The Citric vulnerability has also been exploited by Sodinokibi ransomware developers. The EternalBlue vulnerability in Citrix ADC servers allow the attackers to perform arbitrary code execution remotely. In particular, the attacker can insert a specific DLL that is capable of downloading and launching Ragnorak ransomware payload on the computer or the whole computer network instantly.

Remove RAGNAROK ransomware virus safely

You must remove RAGNAROK ransomware virus and possibly related malware from your computer system as soon as possible. The easiest and safest way to root out such threats from Windows computer is by performing the removal in Safe Mode. The tutorial below explains how to boot your PC in Safe Mode and run your security software from there. This will ensure a successful RAGNORAK removal. When it comes to .ragnarok decryption, currently there are no tools that can recover files for free. In addition, we suggest being aware of scammers who might take your money and simply pay the ransomware developers instead of you. However, the security experts will keep investigating the virus and report back as soon as any routine flaws are noticed. OUR GEEKS RECOMMEND Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system: GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more. Get INTEGO ANTIVIRUS for Windows to remove ransomware, Trojans, adware and other spyware and malware variants and protect your PC and network drives 24/7. This VB100-certified security software uses state-of-art technology to provide protection against ransomware, Zero-Day attacks and advanced threats, Intego Web Shield blocks dangerous websites, phishing attacks, malicious downloads and installation of potentially unwanted programs. Use INTEGO Antivirus to remove detected threats from your computer. Read full review here. RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically. RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them. Read full review here.

Alternative software recommendations

Malwarebytes Anti-Malware

Method 1. Enter Safe Mode with Networking

Before you try to remove the virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, see a video tutorial on how to do it: Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10 users Now, you can search for and remove RAGNAROK Ransomware files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable malware removal program. In addition, we suggest trying a combination of INTEGO Antivirus (removes malware and protects your PC in real-time) and RESTORO (repairs virus damage to Windows OS files).

Method 2. Use System Restore

In order to use System Restore, you must have a system restore point, created either manually or automatically. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10 users After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won’t be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future. Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.

System Mechanic Ultimate Defense If you’re looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek’s Advice approval. Get it now for 50% off. You may also be interested in its full review.

Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.