Playbook

Malware Threat: Ranion

description-logo Description

Ranion is a Ransomware as a Service that is based off of the open source HiddenTear ransomware. First discovered in 2017, Ranion main customer base is less sophisticated and or beginning threat actors, which has allowed it to stay under the radar for several years.


The Ranion ransomware variant that FortiGuard Labs recently came across bucks that trend. The Ranison ransomware family appears to have been around since at least early 2017, giving it more than four years of longevity. In February of that year, Daniel Smith at Radware Security shed the first light on the Ranion ransomware, describing it as Ransomware-as-a-service. Surprisingly, its website on the Dark Web has remained relatively unchanged: the Ranion developer still maintains its claim that Ranion was created for educational purposes and asks users not to use the ransomware for illegal activities.


The latest version of Ranion, version 1.21, was released in July 2021. Amazingly, the Ranion developer has updated the ransomware every month in 2021 (except for May), including updates for detection evasion, which casts doubt on the claim that the ransomware is for educational purposes.


For more information on the TTPs used by Ranion, please visit our Playbook Viewer and select Ranion from the menu.

Appendix

Ranion Blog