{
	"id": "622e464a-5907-4365-a329-7cd0c051e444",
	"created_at": "2026-04-06T00:11:59.482178Z",
	"updated_at": "2026-04-10T03:20:51.421878Z",
	"deleted_at": null,
	"sha1_hash": "8c5db91382f77b59b0bce65b719a0f1e154ff8f4",
	"title": "A Detailed Walkthrough of Ranzy Locker Ransomware TTPs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1557886,
	"plain_text": "A Detailed Walkthrough of Ranzy Locker Ransomware TTPs\r\nBy Suleyman Ozarslan, PhD\r\nPublished: 2021-10-28 · Archived: 2026-04-05 15:52:06 UTC\r\nAs we all observed, the number of ransomware attacks increased dramatically in 2021. Since late 2020, the Ranzy\r\nLocker ransomware has been responsible for dozens of high-profile breaches. Essentially, Ranzy is a rebranded\r\nand improved version of the ThunderX ransomware. Since a free decryption tool of ThunderX is released, Ranzy\r\nLocker has been released by the threat actors. Note that the Tor onion URL used by Ranzy was the same as the\r\none previously used by the Ako ransomware. So, it is also a successor of Ako.\r\nRanzy threat actors also have established a Ransomware as a Service (RAAS) model and utilize the double\r\nextortion tactic. In other words, they exfiltrate critical data before encrypting files and threaten the victim with the\r\nrelease of the exfiltrated data to encourage ransom payment.\r\nAccording to the flash report of the FBI,  the Ranzy Locker ransomware gang had compromised over 30\r\nbusinesses in the U.S. alone as of July 2021. Victims of ransomware are in various sectors, such as manufacturing,\r\ngovernment, transformation, and IT.\r\nWe provide the tactics, techniques, and procedures (TTPs) used by the Ranzy Locker threat actors in this blog post\r\nbecause detecting and blocking a threat's TTPs is the most effective method of preventing that threat. TTPs enable\r\nus to identify potential intrusions and analyze the behavior of threat actors.\r\nTactics, Techniques, and Procedures (TTPs) used by Ranzy Locker Ransomware\r\nThis section presents the malicious behaviors of the Ranzy Locker ransomware group. Our analysis uses the\r\nMITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT\u0026CK®) version 10 framework. See the\r\nATT\u0026CK Matrix for Enterprise v10 for all referenced tactics and techniques.\r\n1. Initial Access\r\nThe Initial Access tactic includes techniques used by attackers to gain an initial foothold within a network, such as\r\nexploiting vulnerabilities on public-facing web servers.\r\n1.1. ATT\u0026CK T1190 Exploit Public-Facing Application \r\nRanzy Locker operators leverage known Microsoft Exchange Server vulnerabilities to compromise target systems.\r\n1.2. ATT\u0026CK T1566 Phishing\r\nThe Ranzy Locker ransomware is also distributed via phishing campaigns.\r\n1.3. ATT\u0026CK T1078 Valid Accounts\r\nhttps://www.picussecurity.com/resource/blog/a-detailed-walkthrough-of-ranzy-locker-ransomware-ttps\r\nPage 1 of 7\n\nThe ransomware gang leverages valid accounts with Remote Desktop Protocol (RDP) to access target systems.\r\n2. Execution\r\nThis tactic includes techniques that result in adversary-controlled code running on a local or remote system. The\r\nexecution technique cannot be detached from other techniques; it is often paired with techniques from all other\r\ntactics. \r\n2.1. MITRE ATT\u0026CK T1106 Native API\r\nAdversaries can execute behaviors directly through the native OS application programming interface (API). The\r\nRanzy Locker ransomware leverages Windows API for a variety of operations, such as enumerating shared\r\nresources, as explained below.\r\n3. Defense Evasion\r\nDefense evasion techniques are used by adversaries to avoid detection by security controls.\r\n3.1. ATT\u0026CK T1027 Obfuscated Files or Information\r\nThe Ranzy Locker ransomware uses Base64 encoding to obfuscate its configuration in the ransom note.\r\n3.2. ATT\u0026CK T1497 Virtualization/Sandbox Evasion\r\nAdversaries may use a variety of techniques to detect and avoid virtualization and analysis environments. This\r\nmay include altering behavior in response to the detection of artifacts indicative of a virtual machine (VM)\r\nenvironment or sandbox. If the adversary detects a VM environment, they may modify their malware in order to\r\ndisengage from the victim or conceal the implant's core functions. The Ranzy locker ransomware group uses\r\nIsDebuggerPresent  API call to detect debuggers by checking if a program is running in debugging mode.\r\n4. Credential Access\r\n4.1. ATT\u0026CK T1110 Brute Force\r\nThe ransomware gang acquires valid accounts through brute force.\r\n5. Discovery\r\nAdversaries use the techniques in the Discovery tactic to obtain information about the target environment, such as\r\nservices, processes, network, files, software, system, accounts, domain, and registry.\r\n5.1. ATT\u0026CK T1083 File and Directory Discovery\r\nThe Ranzy Locker ransomware discovers critical files to exfiltrate, such as customer data, personally identifiable\r\ninformation (PII) files, and financial records. It uses GetLogicalDrives API call to enumerate all mounted drives,\r\nas also used by the Ryuk ransomware.\r\nhttps://www.picussecurity.com/resource/blog/a-detailed-walkthrough-of-ranzy-locker-ransomware-ttps\r\nPage 2 of 7\n\n5.2. ATT\u0026CK T1135 Network Share Discovery\r\nRanzi utilizes NetShareEnum API call for discovering shared resources, such as SMB network shares, to encrypt\r\nfiles stored in these resources. This API call is also used by the Conti ransomware. It also sends ARP broadcast\r\nrequests for network device lookup.\r\n5.3. ATT\u0026CK T1057 Process Discovery\r\nAdversaries get information about running processes to understand software and applications running on the\r\nsystem and shape follow-on behaviors. Ranzy uses Windows Native API calls to enumerate running processes.\r\n5.4. ATT\u0026CK T1120 Peripheral Device Discovery\r\nThe Ranzy Locker ransomware scans all drive letters to infect USB drives.\r\n5.5. ATT\u0026CK T1018 Remote System Discovery\r\nRanzy reads the host file (C:\\Windows\\System32\\drivers\\etc\\hosts) to discover the hostname to IP address\r\nmappings of remote systems.\r\n5.6. T1082 System Information Discovery\r\nThe ransomware queries the volume information to determine the disks in the system.\r\n6. Impact\r\nThe Impact tactic covers techniques that manipulate, interrupt, or destroy your systems to disrupt availability,\r\ncompromise integrity, or cover a confidentiality breach.\r\n6.1. ATT\u0026CK T1490 Inhibit System Recovery\r\nRanzy Locker ransomware attacks utilize multiple procedures to inhibit system recovery:\r\nFirst, it disables shadowcopy notifications using wmic.exe, a command-line utility to access Windows\r\nManagement Instrumentation (WMI)\r\nWMIC.exe  SHADOWCOPY /nointeractive \r\nWbadmin is a built-in Windows tool that allows you to backup and restore your operating system, volumes,\r\nfiles, folders, and programs. Ranzy Locker uses wbadmin to delete system state backups with the following\r\ncommand:\r\nwbadmin DELETE SYSTEMSTATEBACKUP\r\nIt also uses a more specific version of this command to delete the oldest system state backup:\r\nwbadmin DELETE SYSTEMSTATEBACKUP - deleteOldest\r\nhttps://www.picussecurity.com/resource/blog/a-detailed-walkthrough-of-ranzy-locker-ransomware-ttps\r\nPage 3 of 7\n\nBCDEdit is a command-line tool for managing Boot Configuration Data (BCD) stores that are used to\r\ndescribe boot applications and boot application settings. Ranzy Locker uses bcdedit.exe twice to disable\r\nautomatic Windows recovery features by modifying boot configuration data with the following commands,\r\nwhich are also used by REvil (Sodinokibi) and Nefilim ransomware families.\r\nbcdedit /set {default} recoveryenabled No\r\nbcdedit /set {default} bootstatuspolicy ignoreallfailures\r\nvssadmin (Volume Shadow Copy Service Admin) is another native Windows tool that can display current\r\nvolume shadow copy backups and all installed shadow copy writers and providers. The Ranzy Locker\r\nransomware abuses vssadmin.exe with the following command to delete all volume shadow copies on the\r\nsystem to prevent recovery, as also used by REvil (Sodinokibi).\r\nvssadmin.exe Delete Shadows /All /Quiet\r\n6.2. ATT\u0026CK T1486 Data Encrypted for Impact\r\nThreat actors may encrypt data on target systems or on a large number of systems connected to a network to\r\ndisrupt the system and network resource availability. They can make stored data unusable by encrypting files or\r\ndata on local and remote drives, which is a common behavior of ransomware.\r\nRanzy uses the following encryption schemes. \r\nSalsa20 to encrypt files.\r\nRSA to encrypt Salsa20 keys.\r\nSalsa20 is a faster encryption algorithm than RSA. So, they encrypt files with Salsa20, but encrypt the Salsa20\r\nkeys with a more secure but slower RSA 2048 bits encryption. This combination is also used by the recent\r\nBlackMatter ransomware.\r\nUnfortunately, there is not a public Ranzy Locker ransomware decryption tool as of today.\r\nRanzy Locker creates a readme.txt file that includes the following instruction.  It explains that the files were\r\nencrypted and stolen. So, Ranzy is double extortion ransomware like DarkSide.\r\nhttps://www.picussecurity.com/resource/blog/a-detailed-walkthrough-of-ranzy-locker-ransomware-ttps\r\nPage 4 of 7\n\nThe Tor onion URL in the ransom note includes a live chat to learn detailed instructions for buying the decryption\r\nkey.\r\nhttps://www.picussecurity.com/resource/blog/a-detailed-walkthrough-of-ranzy-locker-ransomware-ttps\r\nPage 5 of 7\n\nHow Picus Helps Simulate and Prevent the Ranzy Locker Ransomware\r\nWe strongly suggest simulating the Ranzy Locker ransomware to test the effectiveness of your security controls\r\nusing the Picus Security Control Validation Platform. Picus Threat Library includes the following threats for the\r\nRanzy Locker ransomware. \r\nPicus ID Threat Name\r\n252070 Ranzy Locker Ransomware .EXE File Download Variant-1\r\n845084 Ranzy Locker Ransomware .EXE File Download Variant-2\r\nhttps://www.picussecurity.com/resource/blog/a-detailed-walkthrough-of-ranzy-locker-ransomware-ttps\r\nPage 6 of 7\n\n772539 Ranzy Locker Ransomware .EXE File Download Variant-3\r\n700399 Ranzy Locker Ransomware .EXE File Download Variant-4\r\n445953 Ranzy Locker Ransomware .EXE File Download Variant-5\r\nRanzy Locker Ransomware IOCs (Indicators of Compromise)\r\nSHA256 Hashes\r\nade5d0fe2679fb8af652e14c40e099e0c1aaea950c25165cebb1550e33579a79\r\nbbf122cce1176b041648c4e772b230ec49ed11396270f54ad2c5956113caf7b7\r\nc4f72b292750e9332b1f1b9761d5aefc07301bc15edf31adeaf2e608000ec1c9\r\n393fd0768b24cd76ca653af3eba9bff93c6740a2669b30cf59f8a064c46437a2\r\n90691a36d1556ba7a77d0216f730d6cd9a9063e71626489094313c0afe85a939\r\nSource: https://www.picussecurity.com/resource/blog/a-detailed-walkthrough-of-ranzy-locker-ransomware-ttps\r\nhttps://www.picussecurity.com/resource/blog/a-detailed-walkthrough-of-ranzy-locker-ransomware-ttps\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.picussecurity.com/resource/blog/a-detailed-walkthrough-of-ranzy-locker-ransomware-ttps"
	],
	"report_names": [
		"a-detailed-walkthrough-of-ranzy-locker-ransomware-ttps"
	],
	"threat_actors": [],
	"ts_created_at": 1775434319,
	"ts_updated_at": 1775791251,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8c5db91382f77b59b0bce65b719a0f1e154ff8f4.pdf",
		"text": "https://archive.orkl.eu/8c5db91382f77b59b0bce65b719a0f1e154ff8f4.txt",
		"img": "https://archive.orkl.eu/8c5db91382f77b59b0bce65b719a0f1e154ff8f4.jpg"
	}
}