[MART] - Daily Diary #379 - FBI Warns of Ranzy Locker

CTAS-MAT ctas-mat at appgate.com
Thu Oct 28 21:25:44 UTC 2021

I hope everyone is doing well!

Below is the entry for today.

10/28/2021 - Diary entry #379

Ranzy Locker is yet another Ransomware operating using the double-extortion model. Before encrypting the data, Ranzy operators exfiltrate sensitive data and threaten to publish on Ranzy Leak, their wall-of-shame, if the ransom is not paid. Ranzy is actually a rebrand of TunderX ransomware, active since 2020. Curiously, Ranzy's wall-of-shame URL is the same used by AKO Ransomware (a.k.a. MedusaLocker), active from 2019 to 2020.

It's easy to spot files affected by Ranzy Locker, as the malware appends the .ranzy extension to every affected file. The files are encrypted with a well-known combination of AES + RSA, used by multiple ransomware families covered in our Daily Diaries.

This week, on October 25th, FBI published a "flash alert" about Ranzy Locker. According to the advisory, in July this year, more than 30 US-based companies had been hit by Ranzy. The alert also mentions that the majority of attacks used bruteforced RDP credentials as an infection vector.

Our team found the URLs used by Ranzy Locker. Besides a server located in the TOR network (.onion domains) commonly used by most ransomware families, Ranzy also had a .hk domain, presented in the ransom note for victims to negotiate the ransom payment. Today, October 28th, all Ranzy Locker domains, including Ranzy Leak, are offline. It's not clear if it's a temporary thing, as the group might shutdown their servers to avoid unwanted attention, or if it's a result of the recent international efforts to fight ransomware.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Duarte Domingues
Security Researcher

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20211028/017d3ff6/attachment.htm>

More information about the MART mailing list