Home Malware Programs Ransomware Ranzy Locker Ransomware

Ranzy Locker Ransomware

Posted: October 1, 2020

The Ranzy Locker Ransomware is a file-locking Trojan that's a possible update of the ThunderX Ransomware. The Ranzy Locker Ransomware attacks can stop users' files from opening by encrypting them, favoring digital media, such as documents. Appropriate backup precautions can assist with recovery, along with any credible anti-malware solutions for removing the Ranzy Locker Ransomware.

The Trojans that Supplement Their Extortion with Data Leaks

As some AES-Matrix Ransomware campaigns and other corporate entity-targeting threats show, leaking data to the public is a viable alternative to its destruction, in the right circumstances. One of the independent Trojans leveraging this technique, the ThunderX Ransomware, might have an upgrade for fall: the Ranzy Locker Ransomware. The latter (not a relative of 2016's supposedly 'educational Razy Ransomware) is swapping out some details for less-generic cosmetics, but most of its features are all but identical to ThunderX Ransomware's payload.

The Ranzy Locker Ransomware remains a Windows program with no signatures or other exceptional obfuscation besides the name of random numbers on its installer. The Trojan's behavior includes such archetypal attacks as:

  • The Ranzy Locker Ransomware encrypts digital media files, such as images, archives, documents, and spreadsheets and makes them non-openable in the process.
  • The Ranzy Locker Ransomware adds a customized extension ('RNZ') to the files' names without erasing the previous extension.
  • The Ranzy Locker Ransomware generates custom ID key files for victims inside the folders with the encrypted data.
  • The Ranzy Locker Ransomware deletes the Shadow Volume Copies or the Restore Points (with a CMD command).
  • The Ranzy Locker Ransomware delivers a ransom note in TXT, promoting the threat actor's premium recovery service.

The message is the most telling aspect of the Ranzy Locker Ransomware's payload. It's nearly identical to ThunderX Ransomware's note and carries over its more interesting qualities: the presumption of the victim's being a company server and the threat (possibly, a bluff) of leaking data. This warning gives the Ranzy Locker Ransomware another form of leverage against its targets for encouraging ransom transactions, even if the victim can recover their files from backups.

Plugging Leaky Servers before a Data Spill

Server admins always should take precautions for blocking file-locking Trojans and similar attacks, which may delete, lock or collect data at the attacker's pleasure. Passwords should never use overly-simple strings or commonly-known 'default' values (like 'admin123'), which would let hackers brute-force them relatively quickly. All software should always be kept as up-to-date as possible, lest publicly-known vulnerabilities provoke privilege escalation exploits and other attacks. More relevant to all employees, malware researchers recommend that users interact with care with any e-mail attachments, and leave macros disabled when in doubt.

The leaking of server information to the public isn't always more than a bluff, but some threat actors do traffic in this strategy. Companies should anticipate the potential theft of data, with unpredictable consequences, after encountering any attacker's accessing their servers remotely through e-mail exploits or other means. Since the Ranzy Locker Ransomware has no remote access capabilities by itself, its campaign may have additional tools, such as RATs.

Dedicated anti-malware products tend to be highly effective against file-locker Trojans, including the less-obfuscated ones, like the ThunderX Ransomware and its kin. Deleting the Ranzy Locker Ransomware should be trivial for any well-designed cyber-security product.

One Trojan without relatives spawning offspring always is a point worth watching for future development. Whether the Ranzy Locker Ransomware stays an only child or acquires future siblings, it's a problem for server admins that's not so easily resolvable by disinfection.

Loading...