Connect with us

Hi, what are you looking for?


Application Security

FBI Publishes Indicators of Compromise for Ranzy Locker Ransomware

The Federal Bureau of Investigation (FBI) this week released a Flash report to publicly share indicators of compromise (IOCs) for the Ranzy Locker ransomware.

The Federal Bureau of Investigation (FBI) this week released a Flash report to publicly share indicators of compromise (IOCs) for the Ranzy Locker ransomware.

The ransomware has been targeting businesses in the United States since late 2020 and, by July 2021, compromised more than 30 victims in the information technology, transportation sector, the construction subsector of critical manufacturing, and the academia subsector of government facilities.

A typical attack starts with brute forcing Remote Desktop Protocol (RDP) connections to gain initial access to the network. Recently, the adversary exploited known Microsoft Exchange Server vulnerabilities and phishing messages for initial access.

During the attack, the Ranzy Locker operators would also attempt to identify important files for exfiltration, including customer data, Personally Identifiable Information, and financial records, the FBI said i the report.

Next, the ransomware is deployed to encrypt files on Windows host systems (servers and virtual machines included), as well as on attached network shares. A ransom note is then deployed in each of the directories containing encrypted files.

Victims are instructed to pay a ransom in exchange for a decryption tool, but the operators may also attempt to extort a second ransom, threatening to make the stolen data public.

 [READ: FBI Warns Ransomware Attack Could Disrupt Food Supply Chain ]

Advertisement. Scroll to continue reading.
The ransomware also deletes all of the backups found on the compromised machine and attempts to infect other systems on the local network.

According to the FBI, the IOCs associated with Ranzy Locker include the creation of new user accounts with the name “felix” on domain controllers, active directories, servers, and workstations; a ransom note that shows wording similarities with AKO and ThunderX ransom notes; and the .ranzy extension is appended to encrypted files; among other.

The FBI also listed a series of recommended mitigations for keeping systems protected from ransomware, such as updating applications and operating systems periodically, keeping all data backed up offline, implementing network segmentation and the lead privileged policies, reviewing logs and auditing user accounts, implementing multi-factor authentication, and disabling unused protocols, such as RDP.

Related: FBI Warns Ransomware Attack Could Disrupt Food Supply Chain

Related: CISA, FBI Warn of Increase in Ransomware Attacks on Holidays

Related: FBI Shares IOCs for ‘Hive’ Ransomware Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.