article featured image


A flash alert was published on Monday by the Federal Bureau of Investigation emphasizing the effects Ranzy Locker ransomware has had over this year on US companies. According to the FBI’s statement, at least 30 US enterprises were affected by this cyber threat that targeted various industry sectors.

The FBI coordinated with the Cybersecurity and Infrastructure Security Agency (CISA) to issue this flash alert under discussion released for informational purposes, as it’s developed to assist security professionals in finding detection and guarding techniques to block ransomware attempts.

The report also mentions that remote Desktop Protocol (RDP) credentials brute-forcing was the most used type of cyberattack with the goal to breach networks.

Vulnerable Microsoft Exchange servers were also exploited during cyberattacks and phishing attacks represented another segment of the reported ones where the main tools of hackers were stolen credentials.

FBI’s flash alert also offers technical details on how a Ranzy Locker attack might unfold, what mitigation measures can be put in place, and also YARA rules and indicators of compromise (IOC) aimed to be of help for detection and defending purposes.

Unknown cybercriminals using Ranzy Locker ransomware had compromised more than 30 US businesses as of July 2021. (..) The victims include the construction subsector of the critical manufacturing sector, the academia subsector of the government facilities sector, the information technology sector, and the transportation sector.


Ranzy Locker: How It Works

As BleepingComputer publication mentions, Ranzy Locker works like this:

  • Hackers reach the targeted networks;
  • Before system encryption, they will perform unencrypted files theft, the so-called double extortion;
  • The exfiltrated information might be customer data, PII ( personally identifiable information), or financial data;
  • Basically, the victims are threatened with data leakage if they do not pay the ransom;
  • If the victims will go to the Tor site where payments are made, a page with the message ‘Locked by Ranzy Locker’ will appear;
  • And what’s more, there will also be a live chat for negotiation purposes;
  • To prove the validity of the decryptor they offer, the threat actors allow victims to use that decryptor for free only for 3 files.

Now comes the question: what happens to victims that refuse to pay the ransom?  It’s said that the data the hackers stole from them will be released on the Ranzy Leak which is the data leak site of Ranzy Locker.

As the same publication mentioned above states, it seems that Ako Ransomware also used this leak site domain Ranzy Locker is using now, so apparently the latter is a rebranded version of ThunderX Ransomware which also derived from Ako.

How to Stay Safe?

Ransomware is the most popular threat nowadays with advanced techniques hard to fight with. It’s important to have the best cybersecurity solutions especially if you want to keep your business protected and up and running. Do not let ransomware give you a bad time and check out our Ransomware Encryption Protection that will help your company stay away from malicious encryption attempts, being packed with efficient detection features.

If you enjoyed this article, because we know that you surely did, don’t forget to follow us on LinkedInTwitterFacebookYoutube, or Instagram to never miss a thing we post!

Author Profile

Andra Andrioaie

Security Enthusiast

linkedin icon

Hi! My name is Andra and I am a passionate writer interested in a variety of topics. I am curious about the cybersecurity world and what I want to achieve through what I write is to keep you curious too!

Leave a Reply

Your email address will not be published. Required fields are marked *