Threat Actor Profile
Low Cybercriminal
Description

According to Bleeping Computer, the ransomware is used in targeted attacks against unpatched Citrix servers. It excludes Russian and Chinese targets using the system's Language ID for filtering. It also tries to disable Windows Defender and has a number of UNIX filepath references in its strings. Encryption method is AES using a dynamically generated key, then bundling this key up via RSA.

Confidence Score
100%
Tags
ransomware ransomware.live
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'added_date': None,
 'client': '2003264@sit.singaporetech.edu.sg',
 'description': 'According to Bleeping Computer, the ransomware is used in '
                'targeted attacks against unpatched Citrix servers. It '
                "excludes Russian and Chinese targets using the system's "
                'Language ID for filtering. It also tries to disable Windows '
                'Defender and has a number of UNIX filepath references in its '
                'strings. Encryption method is AES using a dynamically '
                'generated key, then bundling this key up via RSA.\n',
 'firstseen': '2021-03-31T00:00:00+00:00',
 'group': 'ragnarok',
 'has_negotiations': False,
 'has_ransomnote': True,
 'lastseen': '2021-12-30T10:10:45.033137+00:00',
 'locations': [{'available': False,
                'fqdn': 'sushlnty2j7qdzy64qnvyb6ajkwg7resd3p6agc2widnawodtcedgjid.onion',
                'slug': 'http://sushlnty2j7qdzy64qnvyb6ajkwg7resd3p6agc2widnawodtcedgjid.onion/',
                'title': 'Decrypt Site',
                'type': 'DLS'},
               {'available': False,
                'fqdn': 'wobpitin77vdsdiswr43duntv6eqw4rvphedutpaxycjdie6gg3binad.onion',
                'slug': 'http://wobpitin77vdsdiswr43duntv6eqw4rvphedutpaxycjdie6gg3binad.onion',
                'title': '',
                'type': 'DLS'}],
 'negotiation_count': 0,
 'ransomnotes_count': 2,
 'tiaras_metadata': {'has_negotiations': False,
                     'has_ransomnote': True,
                     'locations': [{'available': False,
                                    'fqdn': 'sushlnty2j7qdzy64qnvyb6ajkwg7resd3p6agc2widnawodtcedgjid.onion',
                                    'slug': 'http://sushlnty2j7qdzy64qnvyb6ajkwg7resd3p6agc2widnawodtcedgjid.onion/',
                                    'title': 'Decrypt Site',
                                    'type': 'DLS'},
                                   {'available': False,
                                    'fqdn': 'wobpitin77vdsdiswr43duntv6eqw4rvphedutpaxycjdie6gg3binad.onion',
                                    'slug': 'http://wobpitin77vdsdiswr43duntv6eqw4rvphedutpaxycjdie6gg3binad.onion',
                                    'title': '',
                                    'type': 'DLS'}],
                     'negotiation_count': 0,
                     'ransomnotes_count': 2,
                     'ransomware_live_group': 'ragnarok',
                     'tools': {},
                     'url': 'https://www.ransomware.live/group/ragnarok',
                     'victims': 3,
                     'vulnerabilities': []},
 'tiaras_source': 'ransomware.live',
 'tools': {},
 'ttps': [],
 'url': 'https://www.ransomware.live/group/ragnarok',
 'victims': 3,
 'vulnerabilities': []}
Quick Actions
Back to Threat Actors
Dashboard Home