Threat profile: Ranzy Locker ransomware

Threat profile: Ranzy Locker ransomware

Ranzy Locker ransomware emerged in late 2020, when the variant began to target victims in the United States. According to a flash alert issued by the FBI, unknown cyber criminals using Ranzy Locker ransomware had compromised more than 30 US businesses as of July 2021, including victims in the construction, academic, government, IT, and transportation sectors. Ranzy Locker is a successor of ThunderX and AKO ransomware.


The group behind Ranzy Locker is not very different in its business approach from other “big game” ransomware gangs. The ransomware is made available using the Ransomware-as-a-Service (RaaS) model, which allows the developers to profit from cybercriminal affiliates who deploy it against victims. It also runs a leak site where data stolen from victims who refuse to pay a ransom is published.

RDP again, and Exchange

Where the business model is no surprise, the same can be said about the attack methods that Ranzy Locker affiliates deploy to gain initial access. According to the same FBI alert a majority of victims reported that the threat actors conducted brute force attacks targeting Remote Desktop Protocol (RDP) credentials to gain access to the victims’ networks. Recent targets reported the actors leveraged known Microsoft Exchange Server vulnerabilities and phishing as the means of compromising their networks. 

Older, and now less frequent attack methods included malicious spam, and use of the RIG exploit kit, which was previously used to spread Princess ransomware. 

Recognizing Ranzy Locker 

So, how can you tell whether you have been hit by Ranzy Locker or one of the other, many, ransomware variants out there? Well, for starters you can tell from the header of the ransom note which is named readme.txt

---=== Ranzy Locker 1.1 ===---

Attention! Your network has been locked. Your computers and server are locked now. All encrypted files have extension: .ranzy

—- How to restore my files? —-

All files on each host in your network encrypted with strongest encryption algorithms Backups are deleted or formatted, do not worry, we can help you restore your files

Files can be decrypted only with private key – this key stored on our servers You have only one way for return your files back – contact us and receive universal decryption program

Do not worry about guarantees – you can decrypt any 3 files FOR FREE as guarantee

Some variants also use file extensions for the encrypted files that show Ranzy Locker was at work. Those extensions are .RNZ,

, and .RANZYLOCKED, but there are also some that are less helpful and add a random 6 character string. 


A typical series of actions performed Ranzy Locker ransomware is: 

  • Find and delete shadow volume copies, and other recent backups, and disable the Windows recovery environment. 
  • Run the encryption process but skip files that have
     extensions; and exclude paths with strings including 
    Tor Browser
  • Look for connected machines on the network.
  • Drops the ransom note on the desktop of the affected system. 

From what we have noticed, the double-extortion tactic—encrypting and exfiltrating data—is only used on some victims, probably depending on the size of the company and the type of data that was stolen. 


Based on the behavior of Ranzy Locker, the FBI recommends the following mitigation strategies: 

  • Store regular backups of your data off-site and offline, where attackers can’t reach them.
  • Implement network segmentation, so that an attacker can’t reach all the machines on your network from one compromised foothold.
  • Install and regularly update anti-malware software on all hosts and enable real-time detection. 
  • Install security updates for software, operating systems, and firmware as soon as they are released.
  • Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.  
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind. Do not give all users administrative privileges.
  • Disable unused remote access ports and monitor remote access logs for any unusual activity.  
  • Consider adding an email banner to emails received from outside your organization.  
  • Disable hyperlinks in received emails.
  • Use double authentication when logging into accounts or services.

We would like to add Brute Force Protection to that list. 


Besides the characteristics mentioned in this post, the FBI points to a sample YARA rule for Ranzy Locker, which can be found here.

 Stay safe, everyone! 


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.