The FBI announced on Monday 25th of October, that Ranzy Locker ransomware perpetrators had hacked at least 30 US firms from diverse industries this year.
"Unknown cybercriminals using Ranzy Locker ransomware had compromised more than 30 US businesses as of July 2021," the FBI said in a TLP: WHITE flash alert.
The flash warning was produced in collaboration with CISA and therefore is intended to give information that will assist security experts in detecting and preventing similar ransomware attacks.
The majority of Ranzy Locker victims who reported cyberattacks to the FBI stated that the attackers broke into their networks and systems by brute-forcing Remote Desktop Protocol (RDP) credentials.
“The FBI first identified Ranzy Locker ransomware in late 2020 when the variant began to target victims in the United States. Unknown cybercriminals using Ranzy Locker ransomware had compromised more than 30 US businesses as of July 2021. The victims include the construction subsector of the critical manufacturing sector, the academia subsector of the government facilities sector, the information technology sector, and the transportation sector,” stated the advisory.
Subsequent victims indicated that the attackers compromised their networks by using existing Microsoft Exchange Server vulnerabilities and phishing. The attackers sought to discover critical data to exfiltrate, such as customer information, personally identifiable information (PII)-related files, and financial records. Ranzy Locker is used for encrypting files on infected Windows host systems (including servers and virtual machines) and network shares. The Ranzy Locker program puts a ransom note across all folders wherever encryption happened, requesting payment in return for a decryption tool.
Victims who browse the group's Tor payment site will receive a 'Locked by Ranzy Locker' notice as well as a live chat screen where they could bargain with the malicious attackers. As part of the whole "service," ransomware operators offer their victims to decrypt three files for free to demonstrate that the decryptor can recover their files.
If victims do not pay the ransom demands, their obtained papers will be exposed on Ranzy Locker's data breach site, Ranzy Leak.
The domain utilized by their leak portal was previously used by Ako Ransomware, a move that was part of the gang's rebranding from Ako to ThunderX and subsequently Ranzy Locker.
ThunderX was a ransomware operation that began in late August 2020. Tesorion discovered flaws in its encryption within just a month of its inception, which aided in the development of a free decryptor. Later, the cybercrime organization repaired the flaws and published a new version of its Ranzy Locker ransomware strain.
“The FBI encourages recipients of this document to report information concerning suspicious or criminal activity to their local FBI field office. With regards to specific information that appears in this communication; the context, individual indicators, particularly those of a non-deterministic or ephemeral nature (such as filenames or IP addresses), may not be indicative of a compromise. Indicators should always be evaluated in light of your complete information security situation,” read the advisory.
