Ransomware Roundup – Rancoz | FortiGuard Labs

On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.

This latest edition of the Ransomware Roundup covers the Rancoz ransomware.

Affected platforms: Microsoft Windows
Impacted parties: Microsoft Windows Users
Impact: Encrypts files on the compromised machine and demands ransom for file decryption
Severity level: High

Rancoz Ransomware

Overview

It’s only been a few months since the Rancoz ransomware first came to the public’s attention. However, it’s important to raise awareness of this ransomware variant, as the most recent victim on their data leak site on TOR dates back just a few weeks to mid-June.

The first recorded Rancoz victim, according to their TOR site, occurred in November of 2022. The Rancoz modus operandi is similar to other groups, which is to encrypt files on compromised machines, steal information, and extort money from victims.

Infection Vector

Information on the infection vector used by the Rancoz ransomware threat actor is not currently available. However, it is not likely to differ significantly from other ransomware groups.

At the time of this research, there is no indication that Rancoz is widespread.

Ransomware Execution

Once executed, Rancoz ransomware enumerates all local drives and encrypts files unless the attackers specify otherwise. It adds a “.rec_rans” extension to the files it encrypts and leaves a ransom note labeled “HOW_TO_RECOVERY_FILES.txt” [sic]. Furthermore, the ransomware deletes shadow copies by running the command “/c vssadmin.exe Delete Shadows /All /Quiet”, which makes file recovery difficult. It then deletes the registry “HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientDefault” while resetting the registry “HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers”. Removal of those registry keys may prevent victims from being able to connect to remote servers for file recovery.

The ransom note contains the URL of the Rancoz data leak site and the attacker’s contact email address.

The ransomware also replaces the desktop wallpaper, prompting victims to read the ransom note.

Victimology

At the time of our investigation, the Rancoz ransomware group had three victims in different industries listed on their date leak site. Two victims are in the U.S., and the other is in Canada. As seen in the below screenshot, the threat actor stole a significant amount of information and exposed that data to the public.

Note that some ransomware groups remove company listings from data leak sites after the ransom is paid. Therefore, it is possible that there may be additional victims of the Rancoz ransomware.

While submission locations are not a strong indicator of infection, the Rancoz ransomware samples have been submitted to a public file scanning service from the United States, India, France, and Lithuania. What’s more interesting is that these submissions were made from early May to late June, which may indicate that the threat actor is still distributing the same Rancoz ransomware sample.

Potentially Related Ransomware

Based on the Rancoz samples, FortiGuard Labs has determined that the Buddy ransomware (SHA2: d5e632836622d52c91e4ef059e9124184fceaf85783278880797f788ce141588) may be related to the same attacker or malware developer.

Both samples were compiled on the same date and time, “2023-02-19 09:01:20 UTC”. And while this ransomware variant adds a different file extension, “.buddyransome”, to the files it encrypts, it drops a ransom note with the same name (and grammatical error) as the Rancoz ransomware.

d5e632836622d52c91e4ef059e9124184fceaf85783278880797f788ce141588 also replaces the desktop wallpaper, like the Rancoz ransomware. And while the contents are different, the opening sentence is the same.

We also located another ransomware sample (SHA2: da0332ace0a9ccdc43de66556adb98947e64ebdf8b3289e2291016215d8c5b4c) that may be related to the same attacker.

The ransomware dropped by this sample is very similar to that of Rancoz. One significant difference is that the Rancoz ransom note links to a TOR site while the other does not. They also use different contact email addresses.

However, the notes are very similar, and it also replaces the desktop wallpaper like Ramcoz and Buddy ransomware.

These similarities aren’t too surprising. Many ransomware variants are built on top of existing ransomware code. Recent reports indicate several custom variants based on Vice Society ransomware have also been discovered in the field. This trend, combined with common compilation dates and other similarities, supports our theory that the same developer likely created Rancoz and the other ransomware variants covered in this blog.

Fortinet Protections

Fortinet customers are already protected from this malware variant through AntiVirus, and FortiEDR services, as follows:

FortiGuard Labs detects known Rancoz ransomware variants with the following AV signatures:

• W64/Generik.BPRI!tr.ransom

The other ransomware covered in this blog are also detected as W64/Generik.BPRI!tr.ransom.

The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Fortinet EPP customers running current AntiVirus updates are also protected.

IOCs

File-based IOCs:

FortiGuard Labs Guidance

Due to the ease of disruption, damage to daily operations, potential impact to an organization’s reputation, and the unwanted destruction or release of personally identifiable information (PII), etc., it is vital to keep all AV and IPS signatures up to date.

Since the majority of ransomware is delivered via phishing, organizations should consider leveraging Fortinet solutions designed to train users to understand and detect phishing threats:

The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.

Our FREE NSE training: NSE 1 – Information Security Awareness includes a module on internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks and can be easily added to internal training programs.

Organizations will need to make foundational changes to the frequency, location, and security of their data backups to effectively deal with the evolving and rapidly expanding risk of ransomware. When coupled with digital supply chain compromise and a workforce telecommuting into the network, there is a real risk that attacks can come from anywhere. Cloud-based security solutions, such as SASE, to protect off-network devices; advanced endpoint security, such as EDR (endpoint detection and response) solutions that can disrupt malware mid-attack; and Zero Trust Access and network segmentation strategies that restrict access to applications and resources based on policy and context, should all be investigated to minimize risk and to reduce the impact of a successful ransomware attack.

As part of the industry’s leading fully integrated Security Fabric, delivering native synergy and automation across your security ecosystem, Fortinet also provides an extensive portfolio of technology and human-based as-a-service offerings. These services are powered by our global FortiGuard team of seasoned cybersecurity experts.

Best Practices Include Not Paying a Ransom

Organizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom partly because the payment does not guarantee that files will be recovered. According to a U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit activities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a Ransomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes Complaint Center (IC3).

How Fortinet Can Help

FortiGuard Labs’ Emergency Incident Response Service provides rapid and effective response when an incident is detected. And our Incident Readiness Subscription Service provides tools and guidance to help you better prepare for a cyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop exercises).

Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard AI-powered security services portfolio.