Rancoz Ransomware Targets DDB Unlimited

The Rancoz ransomware gang has attacked DDB Unlimited. DDB Unlimited is a company that specializes in manufacturing and providing enclosures, cabinets, and racks for the telecommunications and other industries. The company is known for its high-quality outdoor and indoor enclosure solutions designed to protect sensitive and critical equipment from environmental factors such as weather, dust, and vandalism. Rancoz posted DDB Unlimited to its data leak site on September 3rd but provided no further details.

Rancoz Ransomware Overview

The Rancoz ransomware was initially detected in the wild in May 2023. It functions as a multi-extortion group and maintains a TOR-based website with non-compliant victim identifiers and related data. Various attack campaigns associated with Rancoz have been identified across multiple industries and geographic regions.

Some code similarities exist between Rancoz payloads and custom-branded ransomware strains previously attributed to the Vice Society. However, it's important to note that there is currently no concrete evidence linking Rancoz to any specific group or actor. Visual resemblances can also be observed between Rancoz's data leak site (DLS) and other known groups, as well as in the formatting, structure, and generation of ransom notes. These similarities, however, are superficial and do not necessarily indicate a direct relationship between Rancoz and other threat actor families.

How Rancoz Operates

Upon activation, Rancoz ransomware conducts a thorough enumeration of all local drives and attempts to encrypt eligible file types. Users can employ command-line parameters to target encryption on specific files or directories, or the ransomware will proceed to encrypt all accessible local volumes. In addition, Rancoz deletes Volume Shadow Copies (VSS) through VSSADMIN.EXE and adjusts RDP/Terminal Server settings for impacted hosts.

Encrypted files are identified by the ".rec_rans" file extension. When initiated, Rancoz payloads display a visible command window that presents real-time encryption progress and any relevant output from associated processes, such as volume enumeration, the use of command-line parameters, or error messages.

Following encryption, affected files are appended with the ".rec_ranz" extension, and victims are instructed to contact the attackers via their TOR-based web portal using the provided ransom note, "HOW_TO_RECOVERY_FILES.txt."