FBI FLASH: Indicators of Compromise Associated with the Ranzy Locker Ransomware

The FBI has published a TLP:WHITE FLASH providing indicators of compromise associated with the Ranzy Locker ransomware. The FLASH indicates that Ranzy Locker ransomware, which was first detected in late 2020, has targeted more than 30 U.S. organizations, including critical infrastructure entities. Past incidents indicate the threat actors conducted brute force attacks targeting Remote Desktop Protocol (RDP) credentials to gain access to the victims’ networks. The actors also utilized Microsoft Exchange Server vulnerabilities and phishing to compromise a victim’s network. The FLASH includes further technical details regarding this activity, including indicators of compromise, and lists recommended mitigations. It also encourages partners to report suspicious or criminal activity to their local FBI field office or the FBI’s 24/7 CyberWatch (CyWatch) at (855)292-3937 or Cy*****@*bi.gov.