Ransomware Demo: SentinelOne VS Rancoz Ransomware – Protection

In this video, we show SentinelOne’s ability to protect against Rancoz ransomware. Rancoz was first observed in the wild in May 2023 and operates as a multi-extortion group, hosting a TOR-based website with non-compliant-victim names and associated data. Associated attack campaigns have been tracked across multiple industries and geographies.

Rancoz attackers do not discriminate when it comes to victimology outside of targeting large enterprises. There does not appear to be any clear exclusion zones or industries (e.g., medical or educational institutions) for threat actors deploying Rancoz.

Upon execution, the ransomware will enumerate all local drives and attempt to encrypt all available and applicable file types. Command-line parameters can be used to target the encryption to specific files or folders. Otherwise, the ransomware will attempt to encrypt all local and accessible volumes. Rancoz will also delete VSS (Volume Shadow Copies) via VSSADMIN.EXE and then reconfigure RDP/Terminal Server settings for affected hosts. Encrypted files are noted with the “.rec_rans” file extension.

The SentinelOne Singularity XDR Platform can identify and stop any malicious activities and items related to Rancoz ransomware and return systems to their original state using either the Repair or Rollback feature.

Watch the demo to understand how SentinelOne’s advanced threat detection and prevention capabilities can protect your systems against threats like Rancoz. For more technical insights and cybersecurity updates, subscribe to our channel.