June 6, 2023

The FBI published a flash alert to warn of Ranzy Locker ransomware operations that had already compromised at least 30 US companies this year.

The gang has been active since at least 2020, threat actors hit organizations from various industries.

Unknown cyber criminals using Ranzy Locker ransomware had compromised more than 30 US businesses as of July 2021. The victims include the construction subsector of the critical manufacturing sector, the academia subsector of the government facilities sector, the information technology sector, and the transportation sector.

The attack vector most used by the Ranzy Locker ransomware operators are brute force attempts targeting RDP credentials. The group also exploited known Microsoft Exchange Server vulnerabilities and used phishing messages to target computer networks.


Once gained access to the target network, the ransomware gang attempts to locate sensitive data, including customer information, PII related files, and financial records. The Ranzy Locker ransomware targets Windows systems, including servers and virtual machines.

In some cases the group implemented a double model of extortion, threatening victims to leak the stolen data if they don’t pay the ransom.

The flash alert also includes indicators of compromise (IOCs) associated with Ranzy Locker operations and Yara rules to detect the threat.

Below are the recommended mitigations included in the alert:

  • Implement regular backups of all data.
  • Implement network segmentation.
  • Install and regularly update antivirus software on all hosts, and enable real time detection.
  • Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
  • Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
  • Disable unused remote access/RDP ports and monitor remote access/RDP logs for any unusual activity.
  • Add an email banner to emails received from outside your organization.
  • Disable hyperlinks in received emails.
  • Use double authentication when logging into accounts or services.

Indicators of Compromise



Leave a Reply

%d bloggers like this: