Threat Research

Ransomware Roundup – Rancoz | FortiGuard Labs

Securonix

Fortinet’s FortiGuard Labs analyzes the Rancoz ransomware in its Ransomware Roundup, detailing its Windows-focused encryption, ransom notes, wallpaper change, and potential links to related variants like Buddy ransomware. The report also notes limited victim spread across the U.S. and Canada and outlines Fortinet protections and recommended defense measures. #Rancoz #BuddyRansomware #TOR #Fortinet #FortiGuardLabs #RansomwareRoundup

Keypoints

  • Rancoz ransomware targets Microsoft Windows and encrypts files on the compromised machine, demanding payment for decryption.
  • It adds a “.rec_rans” file extension to encrypted files and leaves a ransom note labeled “HOW_TO_RECOVERY_FILES.txt.”
  • Rancoz attempts to hinder recovery by deleting shadow copies with the command “/c vssadmin.exe Delete Shadows /All /Quiet.”
  • The malware removes specific registry keys related to Terminal Server Client to possibly prevent remote recovery.
  • The ransom note includes the attacker’s TOR data leak site URL and contact email, and the desktop wallpaper is replaced to draw attention.
  • Victimology shows three victims across the U.S. and Canada; samples have been submitted to public scanners from several countries, suggesting limited distribution.
  • Fortinet links potential related variants (e.g., Buddy ransomware) and highlights Fortinet protections (AV signatures W64/Generik.BPRI!tr.ransom) and FortiGuard/EDR coverage.

MITRE Techniques

  • [T1486] Data Encrypted for Impact – Rancoz encrypts files on compromised machines and extorts money. ‘encrypts files on the compromised machine and demands ransom for file decryption.’
  • [T1112] Modify Registry – The ransomware deletes specific registry keys to disrupt connections to remote servers. ‘deletes the registry “HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientDefault” while resetting the registry “HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers”.’
  • [T1490] Inhibit System Recovery – It deletes shadow copies to make recovery harder. ‘Delete Shadows /All /Quiet’ using vssadmin.exe.
  • [T1083] File and Directory Discovery – Rancoz enumerates drives and targets files for encryption. ‘enumerates all local drives and encrypts files unless the attackers specify otherwise.’
  • [T1041] Exfiltration – The malware framework includes stealing information prior to or alongside encryption. ‘the Rancoz modus operandi is similar to other groups, which is to encrypt files on compromised machines, steal information, and extort money.’

Indicators of Compromise

  • [SHA2] Rancoz-related sample – b95a4443bb8bff80d927ac551a9a5a5cfac3e3e03a5b5737c0e05c75f33ad61e – Rancoz ransomware
  • [SHA2] Ransomware sample resembling Buddy – d5e632836622d52c91e4ef059e9124184fceaf85783278880797f788ce141588 – Buddy ransomware
  • [SHA2] Related sample resembling Rancoz (different payload) – da0332ace0a9ccdc43de66556adb98947e64ebdf8b3289e2291016215d8c5b4c – Ransomware that resembles the Rancoz Ransomware

Read more: https://www.fortinet.com/blog/threat-research/ransomware-roundup-rancoz