The Federal Bureau of Investigation (FBI) issued a report detailing security compromises associated with Ranzy Locker ransomware, which has targeted victims in the U.S. since late 2020.
Victims range from businesses in the manufacturing, transportation, and information technology sectors. Most victims stated that the actors conducted a brute force attack targeting Remote Desktop Protocol (RDP) credentials to access the victims’ networks. Since July 2021, these cybercriminals have compromised over 30 businesses.
According to the report, recent victims reported the actors leveraged known Microsoft Exchange Server vulnerabilities and phishing as the means of compromising their networks and then attempted to locate and exfiltrate essential files.
“Ranzy Locker is deployed to encrypt files on compromised Windows host systems and attached network shares,” the report noted. “The Ranzy Locker hackers leave a ransom note in all directories where encryption occurred demanding the victim pay a ransom in exchange for a decryption tool.”
In the report, the FBI offered U.S. companies several recommendations on preventing possible attacks and how to respond. Including:
- Implement regular backups of all data to be stored as air-gapped, password-protected copies offline. Ensure these copies are not accessible for modification or deletion from any system where the original data resides.
- Implement network segmentation, such that all machines on your network are not accessible from every other device.
- Install and regularly update antivirus software on all hosts and enable accurate time detection.
- Audit user accounts with administrative privileges and configures access controls with the least privilege in mind. Do not give all users administrative privileges.
- Disable hyperlinks in received emails.
- Use double authentication when logging into accounts or services.