Ransomware attack combines Citrix and EternalBlue exploit

Several groups of cyber criminals are currently attacking vulnerable Citrix systems, but one group is also using the EternalBlue exploit developed by the NSA. That reports security company FireEye . The attackers use a vulnerability in the Citrix Gateway to attack the underlying corporate network from there.

In addition to installing a backdoor on the Citrix system, the attackers also use the EternalBlue exploit to attack behind machines. This exploit, developed by the United States Secret Service (NSA), exploits a vulnerability in Windows for which a security update has been available since March 2017. If the attackers manage to gain access to the other machines in the company network, the Ragnarok ransomware is installed.

The ransomware encrypts files and then asks for a ransom to decrypt the data. In the case of Ragnarok, this involves an amount of 8,000 euros for one computer and 40,000 euros for all machines. If organizations fail to pay within five days, the attackers threaten to delete all data and publish it on the internet. Although a group has now been discovered that uses the Citrix leak to spread ransomware, most attackers use the vulnerability to infect systems with cryptominers, FireEye said.

Despite the availability of security updates and mitigation measures, 10,000 vulnerable Citrix systems can still be found on the internet , figures show. In addition, a much larger number may have already been compromised because the mitigations were not made in time.