The FBI has warned that over 30 US-based companies had been hit by the Ranzy Locker ransomware by July this year, in a flash alert to other organisations who may be at risk.

According to the alert, issued with the Cybersecurity and Infrastructure Security Agency (CISA), most of the victims were compromised after brute force credential attacks targeting Remote Desktop Protocol (RDP) to gain access to targets’ networks.

Recent victims, according to the FBI, have reported that the malicious hackers exploited known vulnerabilities in Microsoft Exchange Server and phishing attacks as a way of compromising systems.

Once in place, those using the Ranzy Locker ransomware would exfiltrate files from the compromised network, often stealing personal information, customer details, and financial records, before deploying the ransomware to encrypt files across the system.

Victims would find a ransom note in affected folders, demanding a cryptocurrency payment be made for the key to unlock the encrypted files, and to prevent the exfiltrated files being leaked online via the computer underground.

Ranzy Locker follows the popular business model of ransomware-as-a-service (RaaS), that has put more sophisticated attack infrastructure into the hands of anyone who is prepared to sign-up as an affiliate.

The fact that anyone can, essentially, “rent” ransomware like Ranzy Locker to conduct their own attacks makes it all the more dangerous.

If only one group were using Ranzy Locker to attack corporations, they would be limited in their number of victims by their limited resources. But when ransomware is available to all, there’s nothing stopping any Tom, Dick or Harry from trying their luck and launching an attack.

So, it’s clearly important that organisations know what to look out for, and for that reason the FBI flash alert includes indicators of compromise (IOCs) associated with Ranzy Locker, as well as Yara rules (Read more...)