Threat Research

Cyble – Dissecting Rancoz Ransomware

Securonix

Rancoz is a rebranded ransomware variant that leverages leaked Vice Society code to tailor attacks for specific industries, organizations, or regions. It employs double extortion, real-time operation logging, and multi-thread encryption (ChaCha20-Poly and NTRUEncrypt) while using destructive commands to hinder recovery and pressure victims. Hashtags: #Rancoz #ViceSociety

Keypoints

  • Rancoz variants are built from leaked code from Vice Society to customize campaigns by industry, organization, or region.
  • The group uses double extortion, threatening to release stolen data on a leak site in addition to encryption.
  • Rancoz operates with real-time logging in a command prompt window, suggesting manual activation after access.
  • Command line arguments (/f, /d, /s) control encryption; if arguments don’t match predefined ones, the malware proceeds with a default path.
  • Destructive actions include deleting Shadow Copies, removing RDP-related registry keys, and clearing event logs via ShellExecuteW.
  • Encryption uses four worker threads with ChaCha20-Poly and NTRUEncrypt, excludes certain folders/extensions, renames files to .rec_rans, and drops a ransom note.

MITRE Techniques

  • [T1059.003] Windows Command Shell – The ransomware starts by inspecting the command line arguments it receives to initiate its operation. “Upon execution, the malware starts a command prompt window and meticulously records all its actions, comprehensively reporting its behavior in real-time.”
  • [T1082] System Information Discovery – “The main thread’s primary task is identifying and listing all available local and remote drives, including network shares on the compromised system.”
  • [T1135] Network Share Discovery – “The main thread’s primary task is identifying and listing all available local and remote drives, including network shares on the compromised system.”
  • [T1083] File and Directory Discovery – “Once the drives are identified, the main thread initiates the enumeration of directories and subdirectories to collect the file paths for encryption.”
  • [T1070] Indicator Removal on Host – “Deleting ShadowCopy” / “Delete Shadow Copies to prevent system restoration.”
  • [T1490] Inhibit System Recovery – The technique label included in the article is “Inhibit System Recovery,” used in the context of recovery prevention.
  • [T1486] Data Encrypted for Impact – The ransomware uses multi-threaded encryption with ChaCha20-Poly and NTRUEncrypt to encrypt files. “Data encrypted for impact.”

Indicators of Compromise

  • [File Hash] Sample hash – b95a4443bb8bff80d927ac551a9a5a5cfac3e3e03a5b5737c0e05c75f33ad61e
  • [SHA-1] Sample hash – 9fe3060e5cbe3a9ab6c3fb3dee40bd6cd385a6f6
  • [MD5] Sample hash – 8d9f3e223f8d5e350b87dc0908fee0a5
  • [File Name] Ransom note – HOW_TO_RECOVERY_FILES.txt
  • [File Extension] Encrypted file extension – .rec_rans
  • [File Path] Desktop background image path used for wallpaper change – C:UsersPublicnoise.bmp

Read more: https://blog.cyble.com/2023/05/11/dissecting-rancoz-ransomware/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint