The FBI published a flash alert to warn of Ranzy Locker ransomware operations that had already compromised at least 30 US companies this year.
The gang has been active since at least 2020, threat actors hit organizations from various industries.
“Unknown cyber criminals using Ranzy Locker ransomware had compromised more than 30 US businesses as of July 2021. The victims include the construction subsector of the critical manufacturing sector, the academia subsector of the government facilities sector, the information technology sector, and the transportation sector.” reads the flash alert.
The attack vector most used by the Ranzy Locker ransomware operators are brute force attempts targeting Remote
Desktop Protocol (RDP) credentials. In recent attacks, the group also exploited known Microsoft Exchange Server vulnerabilities and used phishing messages to target computer networks.
Once gained access to the target network, the ransomware gang attempts to locate sensitive data, including customer information, PII related files, and financial records. The Ranzy Locker ransomware targets Windows systems, including servers and virtual machines.
In some cases the group implemented a double model of extortion, threatening victims to leak the stolen data if they don’t pay the ransom.
The flash alert also includes indicators of compromise (IOCs) associated with Ranzy Locker operations and Yara rules to detect the threat.
Below are the recommended mitigations included in the alert:
(SecurityAffairs – hacking, Ranzy Locker ransomware)