Threat Update
The FBI has warned that over 30 US-based companies have been hit by the Ranzy Locker ransomware by July this year. The alert, which was issued alongside CISA, notes that most of the victims were compromised by brute force credential attacks. Barracuda MSP recommends deploying strong password policies and multi-factor authentication to keep user accounts safe from compromise, and Barracuda SKOUT Managed XDR offers use cases to detect this threat with its Network Security Monitoring solution.
Technical Detail & Additional Information
WHAT IS THE THREAT?
Threat actors are rapidly deploying Ranzy Locker ransomware to infect companies. Over 30 companies were hit with this ransomware strain by July. Ransomware has become a common tool for threat actors to earn money for encrypting assets. Groups will typically encrypt your data and hold your information at ransom in the popular business model ransomware-as-a-service (RaaS). This typical ransomware strain can be “rented” or “purchased” so that any group or individual who has the means to acquire it may be able to buy and deploy it.
WHY IS IT NOTEWORTHY?
This is especially noteworthy due to the method of compromise and the ease of use. Companies with strong password policies should not fall victim to brute force attacks, but many companies have been hit by this ransomware attack after successful brute force activity. Furthermore, anybody can purchase this ransomware and deploy it, which shows the ease of use of hacking tools and the need for companies to keep vigilant cybersecurity practices.
WHAT IS THE EXPOSURE OR RISK?
If an attack is successful, a company’s entire infrastructure and operations may be at risk. Attackers may hold the entire business at ransom, causing damage to both the company’s reputation and profits. It is extremely essential to protect your infrastructure and ensure threat actors could not gain arbitrary access to your systems.
WHAT ARE THE RECOMMENDATIONS?
Barracuda MSP recommends the following actions to limit the success of a brute force and/or ransomware attack:
- Deploy a strong password policy.
- Install a strong endpoint protection solution on your organization’s devices. SKOUT Endpoint Protection can detect and prevent ransomware attacks and keep your data safe.
- Implement regular backups of all data to be stored as air gapped, password protected copies offline. Ensure these copies are not accessible for modification or deletion from any system where the original data resides.
- Implement network segmentation, such that all machines on your network are not accessible from every other machine.
- Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
- Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
- Audit user accounts with administrative privileges and configure access controls with least privilege in mind. Do not give all users administrative privileges.
- Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs for any unusual activity.
- Consider adding an email banner to emails received from outside your organization. SKOUT offers INKY which implements this.
- Disable hyperlinks in received emails.
- Use double authentication when logging into accounts or services.
- Block the related IOCs offered by the FBI and CISA (referenced below)
As a final reminder, Barracuda SKOUT Managed XDR offers use cases to detect Ranzy Locker Ransomware through SKOUT Network Security Monitoring to prevent further damage.
REFERENCES
For more in-depth information about the recommendations, please visit the following links:
- https://www.tripwire.com/state-of-security/featured/fbi-warns-of-ranzy-locker-ransomware-threat-as-over-30-companies-hit/
- https://www.ic3.gov/Media/News/2021/211026.pdf
If you have any questions, please contact our Security Operations Center.
