Rancoz Ransomware blog

Dissecting Rancoz Ransomware

Threat Actor Leveraging Vice Society’s Codebase for Greater Impact

Custom-branded ransomware has recently seen a surge in development. We have observed Threat Actors (TAs) utilizing leaked source codes of a particular ransomware family to create new variants by modifying the existing code. This approach allows for the creation of ransomware that can be tailored to target specific industries, organizations, or geographic regions, increasing the effectiveness of ransomware variants when it comes to evading detection and successfully infecting victims. Additionally, using existing ransomware code as a starting point can significantly reduce the time and resources required to develop new ransomware families from scratch.

Cyble Research and Intelligence Labs (CRIL) has been closely monitoring the latest threats, including Ransomware, Remote Access Trojans (RATs), and Stealers, among others, and has been publishing blogs about them to keep our readers informed and aware.

Recently, CRIL came across a ransomware variant named Rancoz, initially identified by a researcher @siri_urz. Upon analysis, it has been observed that this ransomware shares notable similarities and overlaps with the Vice Society ransomware.

The Rancoz ransomware group employs a double extortion technique to maximize their chances of receiving payment from victims. This technique involves not only encrypting the victim’s data but also threats from the TAs to release the stolen data on their designated leak site.

The figure below shows the Onion leak page of the Rancoz ransomware and the affected organization.

Figure 1 – Rancoz leak site

Technical Analysis

For analysis purposes, we have taken a sample hash, b95a4443bb8bff80d927ac551a9a5a5cfac3e3e03a5b5737c0e05c75f33ad61e, which represents a 64-bit Console-based binary executable file compiled using MingGW (GCC), as demonstrated in the following figure.

Figure 2 – File Details

Upon execution, the malware starts a command prompt window and meticulously records all its actions, comprehensively reporting its behavior in real-time. This suggests that the attacker will activate the ransomware manually upon gaining access to the victim’s computer.

Command Line Arguments

The ransomware starts by inspecting the command line arguments it receives to initiate its operation. It checks whether the number of arguments is greater than one. If not, the ransomware displays a message stating, “Command line arguments are not used.” However, if there are arguments, the ransomware proceeds to verify them.

The Rancoz ransomware checks the command line arguments it receives against a set of predefined arguments, which are listed as follows:

/fFile argument. Encrypts only the file specified
/dDirectory argument. Encrypts the directory
/ssimply prints out any argument provided

In the event that the passed arguments do not match the predefined arguments or there are no arguments passed at all, the Rancoz ransomware will display a message stating “Not Valid Arguments” and proceed with its default execution.

After executing the ransomware, it imports a hardcoded NTRU Public Key and saves it as configuration data to be used during the encryption process. While infecting the system, the ransomware keeps track of its progress and displays the status in real time on the command prompt window, as depicted in the below figure.

Figure 3 – Ransomware Shows its Progress

Deleting ShadowCopy & RDP

Next, the ransomware utilizes the ShellExecuteW() function to execute a set of commands that cause destructive consequences for the victim’s system, including deleting all Shadow Copies, removing values in the Windows Registry related to Remote Desktop Connection, deleting the default Remote Desktop Protocol (RDP) configuration file, and erasing all Windows event logs.

The table below shows the commands and the purpose.

/c vssadmin.exe Delete Shadows /All /QuietDelete Volume Shadow Copies to prevent system restoration
reg delete “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default” /va /f   reg delete “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers”  Remove registry keys related to Remote Desktop Protocol (RDP) connections, which can prevent the victim from connecting to remote servers to recover data or seek assistance
attrib Default.rdp -s -h del Default.rdp for /F “”tokens=*”” %1 in (‘wevtutil.exe el’) DO wevtutil.exe cl “”%1″””Delete log files and RDP connection settings to remove any possible evidence of ransomware activity.

The figure below shows the values passed to the ShellExecute() API function.

Figure 4 – ShellExecute Function


The Rancoz ransomware employs a multi-threading strategy to carry out file encryption. This is accomplished by creating four worker threads using the CreateThread() API function and synchronizing with the main thread. The worker threads are responsible for the encryption of the file contents.

Each worker thread handles various operations, such as reading the file content, performing ChaChapoly encryption, and writing the encrypted blocks back to the file.

The below figure shows the implementation of the ChaChapoly algorithm.

Figure 5 – Implementation of the ChaChapoly algorithm

Meanwhile, the main thread’s primary task is identifying and listing all available local and remote drives, including network shares on the compromised system. It accomplishes this by evaluating the drive types, which fall within the range of 0 to 4. These drive types include DRIVE_UNKNOWN, DRIVE_NO_ROOT_DIR, DRIVE_REMOVABLE, DRIVE_FIXED, and DRIVE_REMOTE.

The figure below shows the execution status of the ransomware after the drive enumeration process is completed.

Figure 6 – Ransomware execution status

Once the drives are identified, the main thread initiates the enumeration of directories and subdirectories to collect the file paths for encryption.

As part of its encryption process, the Rancoz ransomware refrained from encrypting particular folder names and file extensions listed in the table below. The following directories will be excluded from the encryption process.

AvastAviraCOMODOChromeCommon Files
Install Shield Installation InformationIntelInternet ExplorerKaspersky LabMcAfee
MicrosoftMicrosoft HelpMicrosoft SDKsMicrosoft SharedMicrosoft VS Code
Microsoft Visual StudioMicrosoft.NETMovieMakerMozillaMozilla Firefox
NVIDIA CorporationOperaPackage CachePackagesReference assemblies
SpytechsoftwareSymantecSymantec Client SecuritySystem Volume InformationTemp
WindowsWindows App Certification KitWindows DefenderWindows KitsWindows Mail
Windows Media PlayerWindows Multimedia PlatformWindows NTWindows Phone KitsWindows Phone Silverlight Kits
Windows Photo ViewerWindows Portable DevicesWindows SecurityWindows SidebarWindowsApps
WindowsPowerShellWsusYandex Browsersysconfig 

The table below outlines the file extensions designated to be excluded from the encryption process.


After identifying the files, the main thread proceeds to commence the encryption process on the victim’s system utilizing the designated worker threads mentioned earlier.

Rancoz ransomware employs a combination of symmetric and asymmetric encryption techniques to encrypt files securely. It uses the NTRUEncrypt algorithm for asymmetric encryption, and for symmetric encryption, it uses the ChaCha20-Poly algorithm.

Furthermore, it drops a ransom note titled “HOW_TO_RECOVERY_FILES.txt” within all the enumerated directories. As a part of the encryption process, the ransomware alters the encrypted file names by appending the “.rec_rans” extension.

The below figure shows the encrypted files.

Figure 7 – Encrypted files

After successfully encrypting the files, the ransomware proceeds to modify the desktop background image of the infected system. The ransomware adds the below-mentioned registry key values to modify the desktop background image.

  • Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

Value: Wallpaper

Data: C:\Users\Public\noise.bmp

  • Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

Value: WallpaperStyle

Data: 4

The accompanying figure shows the modified desktop background resulting from the ransomware’s actions.

Figure 8  – Modified desktop background

The below image shows the ransom note utilized by the Rancoz ransomware. The ransom note also provides guidance to the victims on how to reach out to the TAs to recover their encrypted files/pay the ransom.

Figure 9 – Ransom note


The constant evolution and release of new ransomware variants highlight the advanced skills and agility of TAs, indicating that they are responding to cybersecurity measures and checks being implemented and customizing their ransomware accordingly.

The appearance of a newly rebranded strain of ransomware further emphasizes the persistent danger posed by ransomware groups to organizations, individuals, and even governmental entities, serving as a reminder that the risk of ransomware attacks remains an ongoing concern in today’s digital landscape.

Cyble Research & Intelligence Labs continuously monitors all ransomware campaigns and will keep updating our readers with the latest information and our findings.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

Safety Measures Needed to Prevent Ransomware Attacks

  • Conduct regular backup practices and keep those backups offline or in a separate network
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile
  • Refrain from opening untrusted links and email attachments without verifying their authenticity

Users Should Take the Following Steps After the Ransomware Attack

  • Detach infected devices on the same network
  • Disconnect external storage devices if connected
  • Inspect system logs for suspicious events

Impact of Rancoz Ransomware

  • Loss of Valuable Data
  • Loss of the organization’s reputation and integrity
  • Loss of the organization’s sensitive business information
  • Disruption in organization operation
  • Financial loss

MITRE ATT&CK® Techniques

Tactic Technique ID Technique Name 
Command and Scripting Interpreter  
User Execution
System Information Discovery   
Network Share Discovery  
File and Directory Discovery
Defense EvasionT1070Delete shadow drive data
 Data encrypted for impact  
Inhibit System Recovery

Indicators of Compromise (IOCs)

Indicators Indicator  
9fe3060e5cbe3a9ab6c3fb3dee40bd6cd385a6f6 8d9f3e223f8d5e350b87dc0908fee0a5
Rancoz Ransomware

Comments are closed.

Scroll to Top