Rancoz attacks DDB Unlimited

Incident Date: Sep 03, 2023

Attack Overview

VICTIM

DDB Unlimited

INDUSTRY

Telecommunications

LOCATION

USA

ATTACKER

Rancoz

FIRST REPORTED

September 3, 2023

Request Removal

Rancoz Ransomware Targets DDB Unlimited

The Rancoz ransomware gang has attacked DDB Unlimited. DDB Unlimited is a company that specializes in manufacturing and providing enclosures, cabinets, and racks for the telecommunications and other industries. The company is known for its high-quality outdoor and indoor enclosure solutions designed to protect sensitive and critical equipment from environmental factors such as weather, dust, and vandalism. Rancoz posted DDB Unlimited to its data leak site on September 3rd but provided no further details.

Rancoz Ransomware Overview

The Rancoz ransomware was initially detected in the wild in May 2023. It functions as a multi-extortion group and maintains a TOR-based website with non-compliant victim identifiers and related data. Various attack campaigns associated with Rancoz have been identified across multiple industries and geographic regions.

Some code similarities exist between Rancoz payloads and custom-branded ransomware strains previously attributed to the Vice Society. However, it's important to note that there is currently no concrete evidence linking Rancoz to any specific group or actor. Visual resemblances can also be observed between Rancoz's data leak site (DLS) and other known groups, as well as in the formatting, structure, and generation of ransom notes. These similarities, however, are superficial and do not necessarily indicate a direct relationship between Rancoz and other threat actor families.

How Rancoz Operates

Upon activation, Rancoz ransomware conducts a thorough enumeration of all local drives and attempts to encrypt eligible file types. Users can employ command-line parameters to target encryption on specific files or directories, or the ransomware will proceed to encrypt all accessible local volumes. In addition, Rancoz deletes Volume Shadow Copies (VSS) through VSSADMIN.EXE and adjusts RDP/Terminal Server settings for impacted hosts.

Encrypted files are identified by the ".rec_rans" file extension. When initiated, Rancoz payloads display a visible command window that presents real-time encryption progress and any relevant output from associated processes, such as volume enumeration, the use of command-line parameters, or error messages.

Following encryption, affected files are appended with the ".rec_ranz" extension, and victims are instructed to contact the attackers via their TOR-based web portal using the provided ransom note, "HOW_TO_RECOVERY_FILES.txt."

See Halcyon in action

Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!

Let's get started

First Name

Last Name

Phone Number

Buying Timeframe

halcyon.ai is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please tick below to say how you would like us to contact you:

I agree to receive other communications from halcyon.ai and acknowledge Halcyon's privacy policy.

You may unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.

By clicking submit below, you consent to allow halcyon.ai to store and process the personal information submitted above to provide you the content requested.

Back

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.