top of page

Hackers target unpatched Citrix servers to deploy ransomware

Companies still running unpatched Citrix servers are in danger of having their networks infected with ransomware.

Multiple sources in the infosec community are reporting about hacker groups using the CVE-2019-19781 vulnerability in Citrix appliances to breach corporate networks and then install ransomware.


Ransomware infections traced back to hacked Citrix servers have been confirmed by security researchers at FireEye and Under the Breach.

The REvil (Sodinokibi) ransomware gang has been identified as one of the groups attacking Citrix servers to gain a foothold on corporate networks and later install their custom ransomware strain.

"I examined the files the REvil gang posted online from after the company refused to pay the ransom demand," security researchers from Under the Breach said today.

"The interesting thing I discovered is that they obviously hacked Gedia via the Citrix exploit."

Unconfirmed rumors also claim the Maze ransomware gang is also targeting Citrix servers, similar to the REvil gang.

However, attacking corporate servers fits perfectly with the modus operandi of the REvil gang. Previously, this same gang has also been exploiting vulnerabilities in Pulse Secure VPNs to breach corporate networks and install their ransomware.

Update: After this article's publication, FireEye also published a blog post detailing a third group using the Citrix bug to infect victims, but with the Ragnarok ransomware.


All these attacks are taking place after hackers scan the internet for Citrix appliances that have not been secured against the CVE-2019-19781 vulnerability.

Vulnerable devices include the Citrix Application Delivery Controller (ADC), Citrix Gateway, and two older versions of Citrix SD-WAN WANOP.

The vulnerability was disclosed in mid-December; however, internet-wide attacks began after January 11, when proof-of-concept exploit code was published online and became broadly available to anyone.

Initially, patches were not available for the CVE-2019-19781 vulnerability. Instead, Citrix recommended a series of mitigations that server owners could apply and secure their devices.

Those mitigations didn't always work, or many companies failed to apply them. With the broad availability of proof-of-concept code, attacks on Citrix servers have been rampant in recent weeks.

The good news is that earlier today, Citrix finished publishing patches for all vulnerable versions, meaning companies can apply a permanent fix to their servers by updating to the most recent version of the Citrix firmware.


Currently, the patching process appears to be going well. In December, the number of vulnerable systems was estimated at 80,000 servers, a number that went down to roughly 25,000 in mid-January, and has gone down to around 11,000 systems, as of yesterday.

Earlier this week, Citrix and FireEye have also collaborated to build a tool that Citrix server owners can run and see if they're appliances have been hacked with the CVE-2019-19781 exploit, before applying a patch.

If the threat of getting infected with ransomware is not enough to scare some companies in applying the Citrix patches for CVE-2019-19781, then companies should also be aware that some criminals are currently hijacking Citrix servers and selling access to their networks on hacking forums, according to an image researchers from Under the Breach shared with ZDNet last week.



bottom of page