The Federal Bureau of Investigation (FBI) this week released a Flash report to publicly share indicators of compromise (IOCs) for the Ranzy Locker ransomware.
The ransomware has been targeting businesses in the United States since late 2020 and, by July 2021, compromised more than 30 victims in the information technology, transportation sector, the construction subsector of critical manufacturing, and the academia subsector of government facilities.
A typical attack starts with brute forcing Remote Desktop Protocol (RDP) connections to gain initial access to the network. Recently, the adversary exploited known Microsoft Exchange Server vulnerabilities and phishing messages for initial access.
During the attack, the Ranzy Locker operators would also attempt to identify important files for exfiltration, including customer data, Personally Identifiable Information, and financial records, the FBI said i the report.
Next, the ransomware is deployed to encrypt files on Windows host systems (servers and virtual machines included), as well as on attached network shares. A ransom note is then deployed in each of the directories containing encrypted files.
Victims are instructed to pay a ransom in exchange for a decryption tool, but the operators may also attempt to extort a second ransom, threatening to make the stolen data public.
[READ: FBI Warns Ransomware Attack Could Disrupt Food Supply Chain ]
According to the FBI, the IOCs associated with Ranzy Locker include the creation of new user accounts with the name “felix” on domain controllers, active directories, servers, and workstations; a ransom note that shows wording similarities with AKO and ThunderX ransom notes; and the .ranzy extension is appended to encrypted files; among other.
The FBI also listed a series of recommended mitigations for keeping systems protected from ransomware, such as updating applications and operating systems periodically, keeping all data backed up offline, implementing network segmentation and the lead privileged policies, reviewing logs and auditing user accounts, implementing multi-factor authentication, and disabling unused protocols, such as RDP.
Related: FBI Warns Ransomware Attack Could Disrupt Food Supply Chain
Related: CISA, FBI Warn of Increase in Ransomware Attacks on Holidays
Related: FBI Shares IOCs for ‘Hive’ Ransomware Attacks

More from Ionut Arghire
- Air Canada Says Employee Information Accessed in Cyberattack
- BIND Updates Patch Two High-Severity DoS Vulnerabilities
- Faster Patching Pace Validates CISA’s KEV Catalog Initiative
- TransUnion Denies Breach After Hacker Publishes Allegedly Stolen Data
- Legit Security Raises $40 Million in Series B Financing
- Atlassian Security Updates Patch High-Severity Vulnerabilities
- Critical Infrastructure Organizations Warned of Snatch Ransomware Attacks
- Tor-Based Drug Marketplace Piilopuoti Shut Down by Law Enforcement
Latest News
- Researchers Discover Attempt to Infect Leading Egyptian Opposition Politician With Predator Spyware
- In Other News: New Analysis of Snowden Files, Yubico Goes Public, Election Hacking
- China’s Offensive Cyber Operations in Africa Support Soft Power Efforts
- Air Canada Says Employee Information Accessed in Cyberattack
- BIND Updates Patch Two High-Severity DoS Vulnerabilities
- Faster Patching Pace Validates CISA’s KEV Catalog Initiative
- SANS Survey Shows Drop in 2023 ICS/OT Security Budgets
- Apple Patches 3 Zero-Days Likely Exploited by Spyware Vendor to Hack iPhones
