The FBI has released new warning about the Ranzy Locker ransomware operations, which had already compromised at least 30 US businesses this year.The gang has been active since at least 2020, and threat actors have targeted organisations in a variety of industries.
Flashing warning reported that , “As of July 2021, unknown cyber criminals using Ranzy Locker ransomware had compromised more than 30 US businesses.” Construction is a subsector of the critical manufacturing sector, academia is a subsector of the government facilities sector, information technology is a subsector of the information technology sector and transportation is a subsector of the transportation sector.”
Ranzy Locker victims who reported attacks told the FBI that the operators breached their networks by brute-forcing Remote Desktop Protocol (RDP) credentials. Recently, others have reported that the attackers also exploited vulnerable Microsoft Exchange servers or used credentials stolen in phishing attacks.
Ranzy Locker operators will steal unencrypted documents once inside a victim’s network before encrypting systems on their victims’ corporate networks, a tactic used by the majority of other ransomware gangs. These exfiltrated files, which contain sensitive information such as customer information, personally identifiable information (PII) data, and financial records, are used as leverage to force victims to pay a ransom in order to get their files back and prevent the data from being leaked online.
These exfiltrated files which contain sensitive information such as customer information, personally identifiable information (PII) data, and financial records are used as leverage to force victims to pay a ransom in order to get their files back and prevent the data from being leaked online.
The flash alert also includes indicators of compromise (IOCs) associated with Ranzy Locker operations, The following are the recommended techniques listed in the alert:
- Implement regular backups of all data to be stored as air gapped, password protected copies offline. Ensure these copies are not accessible for modification or deletion from any system where the original data resides.
- Implement network segmentation, such that all machines on your network are not accessible from every other machine.
- Install and regularly update antivirus software on all hosts, and enable real time detection.
- Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
- Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
- Audit user accounts with administrative privileges and configure access controls with least privilege in mind. Do not give all users administrative privileges.
- Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs for any unusual activity.
- Consider adding an email banner to emails received from outside your organization.
- Disable hyperlinks in received emails.
- Use double authentication when logging into accounts or services