Ranzy Locker ransomware hit tens of US companies in 2021

The FBI published a flash alert to warn of the activity of the Ranzy Locker ransomware that had already compromised tens of US companies.

The FBI published a flash alert to warn of Ranzy Locker ransomware operations that had already compromised at least 30 US companies this year.

The gang has been active since at least 2020, threat actors hit organizations from various industries.

“Unknown cyber criminals using Ranzy Locker ransomware had compromised more than 30 US businesses as of July 2021. The victims include the construction subsector of the critical manufacturing sector, the academia subsector of the government facilities sector, the information technology sector, and the transportation sector.” reads the flash alert.

The attack vector most used by the Ranzy Locker ransomware operators are brute force attempts targeting Remote
Desktop Protocol (RDP) credentials. In recent attacks, the group also exploited known Microsoft Exchange Server vulnerabilities and used phishing messages to target computer networks.

Once gained access to the target network, the ransomware gang attempts to locate sensitive data, including customer information, PII related files, and financial records. The Ranzy Locker ransomware targets Windows systems, including servers and virtual machines.

In some cases the group implemented a double model of extortion, threatening victims to leak the stolen data if they don’t pay the ransom.

The flash alert also includes indicators of compromise (IOCs) associated with Ranzy Locker operations and Yara rules to detect the threat.

Below are the recommended mitigations included in the alert:

• Implement regular backups of all data to be stored as air gapped, password protected copies offline. Ensure these copies are not accessible for modification or deletion from any system where the original data resides.
• Implement network segmentation, such that all machines on your network are not accessible from every other machine.
• Install and regularly update antivirus software on all hosts, and enable real time detection.
• Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
• Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
• Audit user accounts with administrative privileges and configure access controls with least privilege in mind. Do not give all users administrative privileges.
• Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs for any unusual activity.
• Consider adding an email banner to emails received from outside your organization.
• Disable hyperlinks in received emails.
• Use double authentication when logging into accounts or services.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Ranzy Locker ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]