FBI published a flash alert warning that Ranzy Locker Ransomware targeting various sectors has compromised 30 U.S companies in 2021...

Continue reading
Ranzy Locker ransomware first emerged in 2020, targeting sectors like construction, facilities, information technology, and transportation. The compromised data includes customer information, PII-related files, and financial records from infected systems, which were reportedly exfiltrated following the deployment of the ransomware.
FBI has **published** a flash alert stating that threat actors employing Ranzy Locker Ransomware have already compromised 30 U.S businesses this year.

_Ranzy Locker ransomware submissions (ID Ransomware)_ <br>
Most of the operations were executed by a brute force attack that targets remote Desktop Protocol (RDP) credentials to access networks. Actors have recently switched up their techniques to exploit the Microsoft Exchange Server vulnerabilities and phishing to infiltrate networks.

_Ranzy Locker Tor payment site_ <br>
Files are encrypted using Ranzy Locker, and the system is left with a ransom note in all directories, which has details regarding the payment for the decryption tool. The Ranzy Locker executable further attempts to penetrate other attached networks.
The ransom notes from sample victims presented a lot of similarities with both their previous variants AKO and ThunderX

The Ranzy Locker Executable named `subID` is a 32-bit PE (portable executable) that requires administrator credentials to run. The samples found in victim computers have the same functionality but differ in the hash value. The executable file contains hex coded strings that can delete backups from a system and disable Windows Error Recovery.


Few recommended mitigations from the flash alert include up-to-date antivirus software on all hosts and implementing regular backups for data. Double authentication is advised on all accounts or services as an additional layer of protection.

148 malicious npm packages masquerading as student proxy and school Wi-Fi bypass tools. Rather than compromising developers during installation