The FBI announced on Monday that the Ranzy Locker ransomware has infected at least 30 US firms across a variety of industries this year. “Unknown cyber criminals using Ranzy Locker ransomware had compromised more than 30 US businesses as of July 2021. The victims include the construction subsector of the critical manufacturing sector, the academia subsector of the government facilities sector, the information technology sector, and the transportation sector,” reads the flash alert.
The flash alert was issued in collaboration with CISA and is intended to provide information to security professionals to aid in the detection and prevention of ransomware attacks. The majority of Ranzy Locker victims who reported intrusions told the FBI that the attackers broke into their networks by brute-forcing RDP credentials.
Others have recently revealed that the attackers utilized credentials acquired in phishing operations or targeted insecure Microsoft Exchange servers.
Ranzy Locker operators will steal unencrypted documents while within a victim's network before encrypting systems on their victims' corporate networks, a method utilized by most other ransomware gangs. These exfiltrated files, which contain sensitive information such as customer information, personally identifiable information (PII) data, and financial records, are used as leverage to force victims to pay a ransom in order to regain access to their files and prevent the data from being leaked online.
In several cases, the gang used a double model of extortion, threatening victims with leaking stolen data if they did not pay the ransom. Indicators of compromise (IOCs) connected with Ranzy Locker operations and Yara rules to identify the threat are also included in the flash warning.
Victims will get a 'Locked by Ranzy Locker' notice and a live chat screen to negotiate with the threat actors when they visit the group's Tor payment site. The ransomware operators also offer their victims to decrypt three files for free as part of this "service" to demonstrate that the decryptor can restore their files.
Implement regular backups of all data to be stored as air-gapped, password-protected copies offline, implement network segmentation so that no machine on your network is accessible from any other machine, install and regularly update antivirus software on all hosts, and enable real-time detection, and install updates/patches to operating systems, software, and firmware as soon as updates/patches become available, are some of the recommended mitigations that were included in the alert.