Rancoz attacks DDB Unlimited

Incident Date:

September 3, 2023

World map



Rancoz attacks DDB Unlimited


DDB Unlimited




Pauls Valley, USA

Oklahoma, USA

First Reported

September 3, 2023

Rancoz Ransomware Targets DDB Unlimited

The Rancoz ransomware gang has attacked DDB Unlimited. DDB Unlimited is a company that specializes in manufacturing and providing enclosures, cabinets, and racks for the telecommunications and other industries. The company is known for its high-quality outdoor and indoor enclosure solutions designed to protect sensitive and critical equipment from environmental factors such as weather, dust, and vandalism. Rancoz posted DDB Unlimited to its data leak site on September 3rd but provided no further details.

Rancoz Ransomware Overview

The Rancoz ransomware was initially detected in the wild in May 2023. It functions as a multi-extortion group and maintains a TOR-based website with non-compliant victim identifiers and related data. Various attack campaigns associated with Rancoz have been identified across multiple industries and geographic regions.

Some code similarities exist between Rancoz payloads and custom-branded ransomware strains previously attributed to the Vice Society. However, it's important to note that there is currently no concrete evidence linking Rancoz to any specific group or actor. Visual resemblances can also be observed between Rancoz's data leak site (DLS) and other known groups, as well as in the formatting, structure, and generation of ransom notes. These similarities, however, are superficial and do not necessarily indicate a direct relationship between Rancoz and other threat actor families.

How Rancoz Operates

Upon activation, Rancoz ransomware conducts a thorough enumeration of all local drives and attempts to encrypt eligible file types. Users can employ command-line parameters to target encryption on specific files or directories, or the ransomware will proceed to encrypt all accessible local volumes. In addition, Rancoz deletes Volume Shadow Copies (VSS) through VSSADMIN.EXE and adjusts RDP/Terminal Server settings for impacted hosts.

Encrypted files are identified by the ".rec_rans" file extension. When initiated, Rancoz payloads display a visible command window that presents real-time encryption progress and any relevant output from associated processes, such as volume enumeration, the use of command-line parameters, or error messages.

Following encryption, affected files are appended with the ".rec_ranz" extension, and victims are instructed to contact the attackers via their TOR-based web portal using the provided ransom note, "HOW_TO_RECOVERY_FILES.txt."

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.