Day 15: Ranzy Locker Ransomware

Ranzy Locker ransomware can be distributed in numerous ways by threat actors. Ranzy Locker can infiltrate systems through several leaks, including integration with third-party software applications, spam emails from unknown senders, sites offering free hosting services, and pirated peer-to-peer (P2P) downloads. Once inside the target’s network, the threat actors search for important files to exfiltrate, including customer information, personally identifiable information (PII) files, and financial records. Ranzy Locker ransomware is then deployed to encrypt files on compromised Windows host machines, including servers, virtual machines, and attached network shares. Ranzy Locker uses a combination of brute force to unlock RDP login information and Microsoft Exchange exploits accessing the victim’s infrastructure and sensitive information. The unencrypted documents are stolen before they are encrypted on the victim’s systems. One of the common indicators of compromises (IOCs) found in Ranzy Locker infections is ransomware often creates a user account named “felix” for persistence.