Ranzy Locker Ransomware Hit At Least 30 US Organizations In 2021

by | November 20, 2021 | Cybersecurity News

The FBI reported that threat actors behind Ranzy Locker ransomware had targeted and compromised at least 30 U.S.-based companies from several industry sectors so far this year.

Ranzy Locker Targeting Critical Infrastructure

The hacking group operating Ranzy Locker ransomware reportedly hit at least 30 U.S. organizations from critical industries such as the construction, information technology, and transportation subsectors.

“Unknown cybercriminals using Ranzy Locker ransomware had compromised more than 30 US businesses as of July 2021,” the FBI said in a TLP: WHITE flash alert.

“The victims include the construction subsector of the critical manufacturing sector, the academia subsector of the government facilities sector, the information technology sector, and the transportation sector.”

The alert was released in coordination with CISA and offers essential information that could help security experts prevent and improve defenses against ransomware attacks.

The majority of victims reported that the threat actors hacked into their systems by brute-forcing Remote Desktop Control (RDP) credentials.

Other victims told the FBI that the cybercrooks exploited weaknesses in Microsoft Exchange servers or used credentials harvested in phishing campaigns.

Ranzy Locker operators used stolen credentials to breach networks.
Ranzy Locker ransomware submissions (ID Ransomware). Credit: BleepingComputer

The Ransomware Attack’s Mechanisms

Much like any other ransomware group, once the Ranzy Locker attackers infiltrate the victim’s network, they will also steal unencrypted files before encrypting systems on corporate networks.

The stolen documents contain highly sensitive data, such as customer information, PII (personally identifiable information), and financial records. The attackers then leverage them to pressure victims into paying the ransom to get their files back and prevent their confidential data from being published online.

The threat actors will offer to negotiate with victims on a Tor payment website displaying a ‘Locked by RanzyLocker’ message and a live chat screen.

They will also allow victims to decrypt three files for free to prove that the decryptor that they are about to purchase really works and can restore their files.

Ranzy Locker Tor payment site. Credit: BleepingComputer

If the victim fails to pay up, they will have their stolen information published on Ranzy Leak, the cybercriminal group’s leak website.

The leak site uses the same domain as the former Ako Ransomware, as part of the gang’s rebranding from Ako to ThunderX, and lastly, Ranzy Locker.

The ThunderX ransomware scheme was launched in late August 2020. In just a month, cybersecurity researchers found flaws in its encryption and created a free decryption key.

Not long after, the ransomware group fixed the weaknesses and released a new version of their ransomware strain, called Ranzy Locker.

FBI’s flash alert also contains technical information on tactics used by the threat actors, recommendations, indicators of compromise, and YARA rules to spot and prevent these malicious attempts.


BleepingComputer FBI: Ranzy Locker ransomware hit at least 30 US companies this year

FBI TLP: WHITE flash alert


Photo by FLY:D on Unsplash

by Diana Panduru

Content writer for Attack Simulator. Passionate about all things writing and cybersecurity, and obsessed with driving. I sometimes indulge in pencil drawing, poetry, and cooking for fun.

There’s no reason to postpone training your employees

Get a quote based on your organization’s needs and start building a strong cyber security infrastructure today.