{ "id": "ec0f5a5c-ba82-4422-978f-6db2409a347d", "created_at": "2026-04-06T00:21:52.165618Z", "updated_at": "2026-04-10T03:21:56.779269Z", "deleted_at": null, "sha1_hash": "f782602e3c7acdd11d26308e1b593795fd134fd0", "title": "Ranion Ransomware - Quiet and Persistent RaaS | FortiGuard Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1163106, "plain_text": "Ranion Ransomware - Quiet and Persistent RaaS | FortiGuard\r\nLabs\r\nPublished: 2021-09-30 · Archived: 2026-04-05 17:17:47 UTC\r\nFortiGuard Labs Threat Research Report\r\nMany thanks to Val Saengphaibul who contributed to this blog.\r\nAffected platforms: Microsoft Windows\r\nImpacted parties: Windows Users\r\nImpact: Encrypts files on the compromised machines and demands ransom from the victim to recover the\r\nencrypted files.\r\nSeverity level: High\r\nRanion is a Ransom-as-a-Service (RaaS) that has enjoyed unusual longevity as it has been active since at least\r\nFebruary 2017. While its activities and purpose—encrypting files on compromised machines and receiving\r\nransom payment from the user to recover their files—may seem the same as other ransomware in the public’s\r\neyes, the truth is that the inner workings of Ranion RaaS are unlike other ransomware.\r\nIn this blog, FortiGuard Labs will explain how Ranion RaaS works.\r\nThe opening lines of The Tale of Heike, a martial epic about the civil war between the Taira and Minamoto clans\r\nin 12th-century Japan, help describe the rise and fall of various ransomware groups in 2021. \r\n“The Jetavana Temple bells\r\nring the passing of all things.\r\nTwinned sala trees, white in full flower,\r\ndeclare the great man's certain fall.\r\nThe arrogant do not long endure:\r\nThey are like a dream one night in spring.\r\nThe bold and brave perish in the end:\r\nThey are as dust before the wind.”\r\n― Royall Tyler, The Tale of the Heike\r\nRansomware Operations are Short-Lived\r\nFor those of us monitoring cybercriminal organizations and malware, ransomware often has a very short shelf life.\r\nSome of the most notable ransomware movements in 2021 include:\r\nDisappearance:\r\nThe REvil (aka Sodinokibi) gang that had been active since 2019 went dark in June. \r\nhttps://www.fortinet.com/blog/threat-research/ranion-ransomware-quiet-and-persistent-raas\r\nPage 1 of 15\n\nThe Avaddon ransomware group halted its operations in June. It had begun its operations in 2019.\r\nThe Ragnarok ransomware gang, in operation since 2019, shut itself down in August and released its\r\ndecryption key.\r\nDarkside first appeared in 2020 and closed in May after compromising a major US pipeline company.\r\nFonixCrypter ransomware gave up its criminal life in January and released a decryption tool and its master\r\ndecryption key. The master decryption key can decrypt all files, regardless of the victim, that had\r\npreviously been encrypted by FonixCrypter.\r\nDebut and Rebranding:\r\nAds for Blackmatter ransomware went up on cyber underground forums in July. While Blackmatter is not a\r\nrebrand of another ransomware, affiliation with the Darkside gang is rumored.\r\nHaron ransomware debuted in July and is based on Thanos and Abaddon ransomware.\r\nDoppelpaymar ransomware was rebranded as Grief (PayOrGrief).\r\nSynAck ransomware was rebranded as El_Cometa in August.\r\nFigure 1. Active Period for ransomware that halted/started operation in 2021\r\nThe average life span of the ransomware listed above, that either disappeared or rebranded itself in 2021, is a bit\r\nless than two years. Reasons for halting operations vary from one ransomware group to another, but they usually\r\ndo so to escape the unwanted attentions of law enforcement and security researchers.\r\nRanion Still Going Four Years Later\r\nThe Ranion ransomware variant that FortiGuard Labs recently came across bucks that trend. The Ranison\r\nransomware family appears to have been around since at least early 2017, giving it more than four years of\r\nlongevity. In February of that year, Daniel Smith at Radware Security shed the first light on the Ranion\r\nransomware, describing it as Ransomware-as-a-service. Surprisingly, its website on the Dark Web has remained\r\nrelatively unchanged: the Ranion developer still maintains its claim that Ranion was created for educational\r\npurposes and asks users not to use the ransomware for illegal activities. \r\nhttps://www.fortinet.com/blog/threat-research/ranion-ransomware-quiet-and-persistent-raas\r\nPage 2 of 15\n\nThe latest version of Ranion, version 1.21, was released in July 2021. Amazingly, the Ranion developer has\r\nupdated the ransomware every month in 2021 (except for May), including updates for detection evasion, which\r\ncasts doubt on the claim that the ransomware is for educational purposes. Another interesting data point is that\r\nversion 1.08 was released in at least January 2018 and was only updated seven times over a 35-month period\r\n(January 2018 – December 2020). However, it has seen rapid acceleration in its development in 2021, with six\r\nupdates over a seven-month period for unknown reasons. Each update made in 2021 contains additional code\r\nusing an open-source program named ConfuserEx to evade detection and protect the security vendors’ identities.\r\nWe will touch on this part later.\r\nRanion RaaS Explained\r\nFigure 2. Top of the Ranion ransomware web page on the dark web\r\nThe latest version of Ranion ransomware is designed to encrypt files on a compromised machine using the\r\nfollowing 44 file extensions, an increase of five new file types over previous analyses (newly added extensions are\r\nhighlighted in orange):\r\n.wallet, .txt, .rtf, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .ods, .pdf, .jpg, .jpeg, .png, .gif, .bmp, .csv, .sql, .mdb, .db,\r\n.accdb, .sln, .php, .jsp, .asp, .aspx, .html, .htm, .xml, .psd, .cs, .java, .cpp, .cc, .cxx, .zip, .rar, .pst, .ost, .eml, .pab,\r\n.oab, .msg\r\nhttps://www.fortinet.com/blog/threat-research/ranion-ransomware-quiet-and-persistent-raas\r\nPage 3 of 15\n\nAlthough the ransomware is not designed to encrypt executable files, the Ranion developers state that users “can\r\nrequest other additional file types/extensions to encrypt for free as any files can be a target of Ranion\r\nransomware.”\r\nHow Ranion Makes Money\r\nOriginally, back in 2017, Ranion offered users two support packages (a 1-year and a 6-months service). Today, the\r\nRanion team offers four support packages: Elite, Premium, Standard, and Test.\r\nElite Premium Standard Test\r\n32-bit Ranion Ransomware 〇 〇 〇 〇\r\n64-bit Ranion Ransomware 〇 〇 〇 〇\r\nDecrypter 〇 〇 〇 〇\r\nSubscription Duration (month) 12 12 6 1\r\nReward Percentage N/A N/A N/A N/A\r\nRansomware Features\r\nDelayed Start 〇 〇 〇 〇\r\nDelayed Encryption 〇 〇 〇 〇\r\nTask Manager 〇 〇 〇 〇\r\nRegistry Editor Disabler 〇 〇 〇 〇\r\nUAC Bypass 〇 〇 〇 〇\r\nhttps://www.fortinet.com/blog/threat-research/ranion-ransomware-quiet-and-persistent-raas\r\nPage 4 of 15\n\nDesktop Wallpaper Change 〇 〇 〇 〇\r\nIP Tracking 〇 〇 〇 〇\r\nOffline Encryption 〇 〇 〇 N/A\r\nSupport 〇 〇 〇 N/A\r\nReal-Time Client Manager 〇 〇 〇 N/A\r\nAdd-On: Dropper (+90 USD) 〇 AUP[1] AUP N/A\r\nAdd-On: Clone (+90 USD) 〇 AUP AUP N/A\r\nAdd-On: FUD+ (+300 USD) 〇 AUP AUP AUP\r\nAdd-On: Unkillable Process (+90 USD) 〇 AUP AUP N/A\r\nPrice (USD) 1900 900 490 120\r\nFigure 3: Ranion ransomware packages and prices \r\nPreviously, the most expensive package was offered for 0.95 bitcoin and the cheapest for 0.60 bitcoin. In February\r\n2017, one bitcoin was worth about 1,200 US dollars, which means these packages sold for around 1,140 USD and\r\n720 USD, respectively. As of September 2021, one bitcoin exchanged for around 50,000 USD so Ranion\r\ndevelopers have adjusted their prices, and they also now offer discounts for easy-to-buy add-on options. \r\nRanion’s business model is quite different from other RaaS vendors. Typically, Ransomware-as-a-Service vendors\r\npay out 60%-80% of any ransoms collected to their “affiliates” that have successfully installed their ransomware\r\nonto a victim’s machine. The Ranion developers do not take a middleman’s cut. Instead, their affiliates pay for the\r\nRaaS service upfront, and they then receive 100% of any ransoms collected. And while some RaaS vendors try to\r\nrecruit experienced affiliates, and often screen potential affiliates before allowing them to sign up for the service,\r\nRanion developers do not. This is one of the reasons why many inexperienced affiliates start with Ranion. It\r\nhttps://www.fortinet.com/blog/threat-research/ranion-ransomware-quiet-and-persistent-raas\r\nPage 5 of 15\n\nallows then to get used to the ransom operation. It is also a choice for affiliates who were unable to pass the\r\nscreening process imposed by other ransomware gangs, thereby lowering the bar for entry.\r\nTo see how well this model works, we tracked some Bitcoin wallets used by one of the older Ranion samples for\r\nransom payment. Two moderate payments, totaling about USD $153 and $460 worth of Bitcoin, were made to the\r\nwallet within a week of the Ranion sample being made available. But a Bitcoin wallet used by Ranion has\r\nrecorded transactions from two other Bitcoin wallets. About $4.7 million USD worth of Bitcoin was transferred to\r\none of those wallets from over 300 different Bitcoin wallets.\r\nDropper Add-On\r\nAnother notable characteristic of Ranion is that it provides an opportunity for buyers to purchase a dropper add-on. At first glance, a “dropper” may sound like a malware add-on that Ranion affiliates can use to deliver\r\nransomware, but it’s not. According to an FAQ posted on the purchase site, the add-on dropper has the following\r\ndescription: “RANION can download a program of yours (exe file) and execute it after encryption process\r\nended.” \r\nFor example, an attacker might use this add-on to silently download and install a remote access tool “RAT” on a\r\nvictim’s machine infected with Ranion. Even if the victim opts to pay ransom, the Ranion decrypter only decrypts\r\nthe encrypted files but does not remove the RAT. The Ranion affiliate can then turn to other RaaS services that are\r\nwilling to purchase existing corporate access (recent Lockbit 2.0 and Blackmatter RaaS quickly come to mind)\r\nand sell that compromised victim for additional profit. This scheme can surely be “educational,” but it’s only good\r\nfor ransomware affiliates.\r\n1AUP is available for purchase\r\nFigure 4: FAQ on paid “Dropper” add-on.\r\nFigure 5: Sample of Ranion’s C\u0026C dashboard\r\nhttps://www.fortinet.com/blog/threat-research/ranion-ransomware-quiet-and-persistent-raas\r\nPage 6 of 15\n\nThe Ranion Ransomware Delivery Method\r\nThe Ranion ransomware’s delivery method recently observed by FortiGuard Labs is very straightforward. It was\r\ndone through a spearphishing email with a zip file attachment that included the Ranion ransomware executable.\r\nAs Ranion is more suited for beginner threat actors, the lack of sophistication in their ransomware delivery might\r\nbe a reason why Ranion has not gained household status in the ransomware realm. This may also be why they\r\nhave managed to stay under the radar for more than four years.\r\nFigure 6: Recent spearphishing emails (in Spanish and French) used to deliver the Ranion ransomware\r\nRanion’s ransom message supports eight languages by default (English, Russian, German, French, Spanish,\r\nItalian, Dutch, and Persian). Any regions in which those languages are primarily used can be a target of Ranion.\r\nRanion Ransomware Origin: HiddenTear Copycat?\r\nRanion bases its code on the open-source proof-of-concept ransomware known as HiddenTear. There are some\r\ncode similarities between the two projects. \r\nhttps://www.fortinet.com/blog/threat-research/ranion-ransomware-quiet-and-persistent-raas\r\nPage 7 of 15\n\nFigure 7: HiddenTear AES encryption\r\nThe above screenshot is from HiddenTear’s implantation of an encryption function. It can be found\r\nat https://github.com/goliate/hidden-tear/blob/master/hidden-tear/hidden-tear/Form1.cs. For comparison,\r\nRanion’s implementation is below: \r\nhttps://www.fortinet.com/blog/threat-research/ranion-ransomware-quiet-and-persistent-raas\r\nPage 8 of 15\n\nFigure 8: Ranion AES encryption\r\nTo encrypt files, HiddenTear uses this function. \r\nhttps://www.fortinet.com/blog/threat-research/ranion-ransomware-quiet-and-persistent-raas\r\nPage 9 of 15\n\nFigure 9: HiddenTear file encryption\r\nRanion implements its encryption in a similar fashion. \r\nFigure 10: Ranion file encryption\r\nThese are just two examples. Overall programming resemblance can be seen in a variety places. In\r\naddition, Ranion kept their resource section similar to HiddenTear’s as well. \r\nFigure 11: Ranion resource\r\nNOTE: This Ranion variant is from 2017 and has a SHA256 hash value\r\nof eed03a9564aee24a68b2cade89d7fbe9929e95751a9fde4539c7896fda6bdcb5\r\nhttps://www.fortinet.com/blog/threat-research/ranion-ransomware-quiet-and-persistent-raas\r\nPage 10 of 15\n\nTo Be FFFFUUUUDDDD \r\nTo be fully undetectable, the Ranion team has consistently relied on the ConfuserEx project, which is the\r\nsuccessor of the now defunct Confuser project. It is a free and open-source obfuscator that makes malware harder\r\nto analyze by “protecting” .NET applications through symbol renaming, anti-debugging, encryption, compression,\r\nand other functions. (For more info, please see the github project page here.)\r\nThe 2017 Ranion variant analyzed below was “protected” by the Confuser project. \r\nFigure 12: 2017 Ranion using Confuser\r\nThe following 2021 variant of Ranion was “protected” using the ConfuserEx project. \r\nFigure 13: 2021 Ranion using ConfuserEx\r\nWhile ConfuserEx is able to do what it says, which is “protect” .NET applications, in this case it is protecting\r\nmalware from being detected by the AV industry via evasion techniques. \r\nConclusion - Ranion Ransomware\r\nHiddenTear-based Ranion is a low-profile, low-cost RaaS that has not achieved the same success of other, more\r\nnotorious ransomware gangs. However, this ransom service provides enough basic features for new threat actors\r\nto use it as a steppingstone for working with more sophisticated malicious services. Ranion is only “educational”\r\nin that it helps train wannabe cyber criminals inflict the same damage as other ransomware variants that have\r\nsimply adopted more polished and sophisticated delivery and propagation mechanisms.\r\nhttps://www.fortinet.com/blog/threat-research/ranion-ransomware-quiet-and-persistent-raas\r\nPage 11 of 15\n\nFortinet Protections\r\nFortinet customers are already protected from this malware by FortiGuard’s AntiVirus and FortiEDR services, as\r\nfollows:\r\nMSIL/Kryptik.LMX!tr\r\nMSIL/Agent.AZG!tr\r\nMSIL/Agent.BJU!tr\r\nMSIL/Bladabindi.FM!tr\r\nMSIL/Filecoder.FU!tr\r\nMSIL/GenKryptik.BLYY!tr\r\nMSIL/GenKryptik.FEWS!tr\r\nW32/Crypmodadv.A!tr\r\nW32/DOTHETUK.FU!tr.ransom\r\nW32/Hesv.BXFI!tr\r\nIndicators of Compromise (IOCs):\r\nSHA2:\r\n52f6e8c0c28f802d8dfd9138bcc971d449d0526469a36541359b6fc31d44d7dc\r\nd63f032180d6cbc3165f79dac13f81e69f3176b06f0ff4b162b167e4f45f5e93\r\nf687c51ee4889c6a35536d06c87b0123d17a483f7e2f5efcfb423fba94e186be\r\nf18044a85ceb3c472ae57e3473e2f14f945f22a9df634caa242b11e5f81c561b\r\ne4c42969a0327ce133b8b6dd52b0f2e926fbc43a48cf2abbd78d521e310b00e4\r\n41ad23008aea13bccf60249c24ee290e9867223d783bc9ddc4234b8e1d21008d\r\nd894cfa1f2e55ea8fb61598d1312d92c6c1667f97ec683dfa5b5350b32402099\r\n2a8f7abaa6b896bdcc8f73a78af89274df5ee5f586edb88a0b4fd0b06cbaf6bd\r\n19b2da9261d163d3a8e25916b0c960bae36d4334172faa2eb7f720c7483f0fb1\r\n434bbb0e4f289944e6c1fafc11e7f3353056857fb90abafd17e2c6ec697d94b3\r\nbbe77c293bf11c5e8d26ff1583cf546a346de5d666e5558b17f056f1117ddaf8\r\nhttps://www.fortinet.com/blog/threat-research/ranion-ransomware-quiet-and-persistent-raas\r\nPage 12 of 15\n\n7afbb979ac6485cbe4d21955dd0f4444d67d2b99aa3d420c09bcc7d54949ed7c\r\nac5e6f8e646311bf3645ccdccf7119712ada6811d973444d3a763d17083ef028\r\n2ab7ba4aa579ffda113b3f1a693cb2f6b45c5adb833301762d623089f5e37694\r\n4ad4aabd3ec941e6eb442aadae23e01539f63c093582ebf9239681fe399c7571\r\ne28afea1a286b27c9f4578cb27729e180dd20f406282e489328e11722b37af73\r\n8a4298a5c2101baf0315a2c5ed297a6b9912c673a200a7082fb96fcaa21a7316\r\n798a618bf3b817751de722bc84475d5dca798fb48e844804d530e34e920fad09\r\nbd82bb30089383547fcc1ab8181c957f770a99c1499db211fa3245135fcce2be\r\neba37b0cef846c16bca30804557d7dae57b16cda506a111e2e4c6f7ef54cab70\r\n507cc65037febbad93cd5a4c10d1e870f4f73069484bd7913349deb139c18ea2\r\nb93a45691e955d4600dde6219125f0a38b0544ad48872bc4ebda5436cf2c0bc0\r\nabf13688180d505d07b04a6643941a571de1efd97b46631abfafd555863ec33e\r\n0f2bbf749501297928efbd4a12d8a1858c7944516e8b15817988a429eae4e632\r\na9671f6455895b1e0875eec277015672ea816dc5299cfd519db2dc4bc38ce693\r\n0a59c6b2ec5dbaa7e36b52dc494d1e58e918f32695cfb28104a5c82b09a9554f\r\nca7aaa3de1948dc882d55d40a0269a145e34f1e07b2b1e932040863e6d1dedb8\r\n27cb1df4a3092c42ddfd93db50cc78813a823a881e6d131410915d0ded6515c4\r\n46b9c46520f00b25924cc0a137393f67a0f4395da8cdc37b32985b90d7285252\r\n46462ba2ac8018901239800f1c4562a31618b1565fe559ab826feef303adab8d\r\ndf7c5267c9e61d7b23a3a771623c6b274fb601023725a8af1b8bc25ae8bcbdb6\r\n0085d31140895d16a2f92a77b62fb50db0d05fa47b447e21bca062532b5bf0d2\r\n780a576b7ea69b46eb8a698aac0c6ee6e2e426fddcd7a99b749f5aa083e8f72b\r\n94968c73dacfd68500ca59905e410ca4ccafe92cd8e223ed47ad916ee82a6dfb\r\nc18c9cf30056d9ebfda69bb9869a38b5ab2d2e3d388a747d7ec8516e022aa7e9\r\n19d9ec2713d913d5325a72ce646351a2384d86efd5dcecebb354ef2bc9e801a2\r\nc38e068677903ccd9b117bacaa3b201616668e449856f8d14894f9acf3f6e9cc\r\nhttps://www.fortinet.com/blog/threat-research/ranion-ransomware-quiet-and-persistent-raas\r\nPage 13 of 15\n\n378b34a3e1f760dc7d6c5ff742c543a0184a255c7c3422e348eab05dca1377f9\r\ne9352eb25a1ef3fc8d88fd62a4253d4b8db3931366f012e9ee7916818f74ad55\r\nf7b6ac95cbf4f4122c67e3f841de1152cb032e36d768cd71618cbaf95f131727\r\ndf16d6b57a0290b8d7276285020cf6cf5e7c4a561516500fd44e862ea32c1073\r\ndbd00dffb77998d4b0c9946e727279831f19e5d58059b0de353cb191f6c3ca00\r\n1bbc33db0c52d5c3f2798f726bb476cf20d00eeae971e98926bbfbf194e7e03c\r\n98f16b75d1c9e3c8914b10de4b6286397285d226785b42766847b35558ee0dc7\r\n86c6a8c1cd461dafdc30ce37eca355f096ff35ccd48b4de3f2f3bd56d0cef543\r\nc5234f098cf2319c813e8025e0ea04b4f45de4ad195b64ba80fe9a098de54431\r\n0361585476c9e04cbe9efac74fe76e32d84e2e682ac4a8e5f67860a719e7b6d0\r\n1fdaae6a5b1d69d795a07b5518568964dc53e181b22ad2427e7f10c60d61241b\r\n4824c68f18089c44af8426b9a2d7960f5caa572777a46b3a172093b321acbf1d\r\need03a9564aee24a68b2cade89d7fbe9929e95751a9fde4539c7896fda6bdcb5\r\n023b12665ff5c46331ece74d220c52a28439ada61210183bbd921e1ef833645c\r\naa9bbffae11e2a2af53acbb56129d99cb93c78c98202f5c19b095f9ed296a2ce\r\nea00fffa874669e743d125fcdb55ba591a54d469c621eada61f304495269a35c\r\nf389a83b1309ff17c9c0faf1d9e079ceae3b4111c6813ad50bd451a9a19b291b\r\n33d24a576f00847d44315c1d6d588a3aa45031dec2b1590bc67bc6800e455cf6\r\nMITRE ATT\u0026CK information\r\nExecution\r\n            - T1204.002: Malicious File\r\nPersistence\r\n            - T1547.001: Registry Run Keys/Startup Folder\r\nPrivilege Escalation\r\n            - T1548.002: Bypass User Account Control\r\nDefense Evasion\r\nhttps://www.fortinet.com/blog/threat-research/ranion-ransomware-quiet-and-persistent-raas\r\nPage 14 of 15\n\n- T1027.002: Software Packing\r\n            - T1548.002: Bypass User Account Control\r\n            - T1562.001: Disable or Modify Tools\r\nDiscovery\r\n            - T1083: File and Directory Discovery\r\nImpact\r\n            - T1486: Data Encrypted for Impact\r\n            - T1491.001: Internal Defacement\r\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard\r\nSecurity Subscriptions and Services portfolio.\r\nLearn more about Fortinet’s free cybersecurity training, an initiative of Fortinet’s Training Advancement Agenda\r\n(TAA), or about the Fortinet Network Security Expert program, Security Academy program, and Veterans\r\nprogram. Learn more about FortiGuard Labs global threat intelligence and research and the FortiGuard Security\r\nSubscriptions and Services portfolio.\r\nSource: https://www.fortinet.com/blog/threat-research/ranion-ransomware-quiet-and-persistent-raas\r\nhttps://www.fortinet.com/blog/threat-research/ranion-ransomware-quiet-and-persistent-raas\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.fortinet.com/blog/threat-research/ranion-ransomware-quiet-and-persistent-raas" ], "report_names": [ "ranion-ransomware-quiet-and-persistent-raas" ], "threat_actors": [], "ts_created_at": 1775434912, "ts_updated_at": 1775791316, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f782602e3c7acdd11d26308e1b593795fd134fd0.pdf", "text": "https://archive.orkl.eu/f782602e3c7acdd11d26308e1b593795fd134fd0.txt", "img": "https://archive.orkl.eu/f782602e3c7acdd11d26308e1b593795fd134fd0.jpg" } }