Ranzy Locker ransomware has attacked at least 30 U.S. companies through July 2021, the Federal Bureau of Investigation (FBI) said in a new Flash alert.
Victims include entities in construction, academia, information technology and transportation. Construction, a subset of manufacturing, information technology and transportation are among 16 U.S. critical infrastructure sectors.
Most reported that the attackers conducted brute force password operations targeting Remote Desktop Protocol (RDP) credentials to gain access to the victims’ networks, the law enforcement agency said. The compromised companies also said the threat actors had exploited known vulnerabilities in Microsoft Exchange Server and used phishing tactics to gain network entry.
Ranzy Locker Ransomware Attacks: Typical Scenarios
The FBI said it became aware of the Ranzy Locker ransomware as recently as late last year. In the campaigns here’s how the threat actors operated:
- Once inside a target’s network, the hackers attempted to locate important files to exfiltrate, such as customer information, personal identifiable information files and financial records.
- They then deployed Ranzy Locker to encrypt files on compromised Windows host machines, including servers and virtual machines and attached network shares.
- The Ranzy Locker executable leaves a ransom note in all directories where encryption occurred demanding the victim pay a ransom in exchange for a decryption tool.
- In some cases, Ranzy actors have demanded a second ransom from the victim in exchange for not leaking the data on the Internet.
The FBI also provided technical details on mechanisms used in Ranzy Locker attacks, indicators of compromise (IOCs) and recommended mitigations. The Ranzy Locker actors may establish new accounts on domain controllers, servers, workstations, or the active directories. Newly created accounts with the name “felix” have been observed on at least three victims of the ransomware. The ransom note for Ranzy Locker has similarities to the wording in both the AKO and ThunderX ransom notes. ThunderX was a ransomware operation launched in August 2020.
How MSSPs Can Mitigate Ranzy Locker Ransomware Attacks: FBI Best Practices
The FBI recommends companies enact these 10 mitigations:
- Implement regular backups of all data to be stored as air gapped, password protected copies offline. Ensure these copies are not accessible for modification or deletion from any system where the original data resides.
- Implement network segmentation so that all machines on your network are not accessible from every other machine.
- Install and regularly update antivirus software on all hosts and enable real time detection.
- Install updates/patch operating systems, software and firmware as soon as updates/patches are released.
- Review domain controllers, servers, workstations and active directories for new or unrecognized user accounts.
- Audit user accounts with administrative privileges and configure access controls with least privilege in mind. Do not give all users administrative privileges.
- Disable unused remote access/RDP ports and monitor remote access/RDP logs for any unusual activity.
- Consider adding an email banner to emails received from outside your organization.
- Disable hyperlinks in received emails.
- Use double authentication when logging into accounts or services.
