Key takeaways:
- Rancoz ransomware uses NTRUEncrypt (post-quantum) combined with ChaCha20-Poly1305 cipher for file encryption.
- Threat actors are targeting virtualization platforms, particularly Proxmox environments, for maximum impact.
- Proven Data achieved complete recovery is possible even when official decryptors malfunction.
Rancoz payloads share code similarities with Vice Society’s custom-branded ransomware strains, though no firm evidence establishes a direct relationship between the groups. Analysis suggests the same developer likely created Rancoz along with related variants, including Buddy ransomware, based on identical compilation dates and similar code structure.
Who are Rancoz’s targets
Rancoz attackers target large enterprises without clear exclusion zones for industries such as medical or educational institutions. Documented victims span multiple countries, including the United States, Canada, India, France, and Lithuania, across various industry sectors.
The ransomware particularly threatens organizations running virtualization infrastructure. By compromising a single Proxmox host server, attackers can simultaneously encrypt dozens or hundreds of guest virtual machines, maximizing operational disruption and ransom pressure.
Rancoz encryption methods and techniques
Rancoz achieves file encryption using a combination of NTRUEncrypt (asymmetric) and the ChaCha20-Poly1305 cipher (symmetric). This hybrid approach provides both security and performance:
- NTRUEncrypt (Post-Quantum Algorithm): NTRUEncrypt is a lattice-based cryptographic system designed to resist attacks from both classical and quantum computers. By implementing this algorithm, Rancoz creates a psychological barrier in which victims perceive the encryption as mathematically unbreakable, driving faster ransom payment decisions.
- ChaCha20-Poly1305 (Symmetric Cipher): This modern authenticated encryption algorithm provides fast file encryption while maintaining strong security. The combination allows Rancoz to quickly encrypt large volumes of data while protecting encryption keys with post-quantum algorithms.
Execution and propagation
Upon execution, Rancoz enumerates all local drives and attempts to encrypt all available file types unless attackers specify otherwise using command-line parameters. The ransomware adds a “.rec_rans” extension to encrypted files and leaves a ransom note labeled “HOW_TO_RECOVERY_FILES.txt”.
When launched, Rancoz payloads display a visible command window showing current encryption status, volume enumeration, command-line parameter usage, or error messages.
System manipulation and defense evasion
Rancoz employs several techniques to prevent recovery and maintain persistence:
- Volume Shadow Copy Deletion: The ransomware deletes shadow copies by executing “/c vssadmin.exe Delete Shadows /All /Quiet”, making standard file recovery extremely difficult.
- Remote Desktop Protocol Disruption: Rancoz deletes the registry key “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default” while resetting “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers“. These modifications disrupt RDP and Terminal Server connectivity, potentially preventing victims from connecting to remote servers for file recovery.
- Visual Intimidation: The ransomware replaces the desktop background by modifying the registry to display a dropped file called “noise.bmp”, ensuring victims immediately see the ransom demand.
- Selective Encryption: Rancoz payloads contain lists of file extensions and folder names to exclude from encryption, ensuring system stability while maximizing pressure on victims.
Command execution sequence
The following commands are observed during Rancoz execution:
- Remove Volume Shadow Copies
C:\Windows\system32\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
- Disrupt Remote Desktop/Terminal Server
reg delete “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default” /va /f
reg delete “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers” /f
reg add “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers”
- Remove RDP Settings and Event Logs
attrib Default.rdp -s -h
del Default.rdp
for /F “tokens=*” %1 in (‘wevtutil.exe el’) DO wevtutil.exe cl “%1”
Case study: reverse-engineering the failed Rancoz decryptor
A company running critical operations on Proxmox virtualization infrastructure fell victim to Rancoz ransomware. With operations completely halted and facing immense business pressure, the organization made the difficult decision to pay the ransom. The threat actors provided a decryption tool, but it failed to function properly.
The organization now faced a catastrophic scenario: financial loss from the ransom payment combined with continued data inaccessibility. Without a functioning decryption capability, total business loss appeared inevitable.
The Technical Recovery Challenge
“Threat actors deploy sloppy, vibe-coded ransomware that uses post-quantum, but the backend is often unstable,” explained Hassan Faraz, the ransomware recovery expert who led the recovery effort at Proven Data.
Unlike standard data recovery involving hardware failure or accidental deletion, this case required reverse-engineering software written by cybercriminals, an unprecedented challenge combining forensic expertise, advanced programming knowledge, and cryptographic understanding.
“This wasn’t a typical ransomware recovery case. We essentially had to become the developers for the threat actor’s broken software,” stated Hassan Faraz.
The four-stage recovery process
Stage 1: Secure analysis environment
Proven Data’s Digital Forensics and Incident Response (DFIR) team isolated the faulty decryptor in a sandboxed environment. This secure workspace allowed comprehensive analysis without risking the client’s remaining infrastructure or causing additional data corruption. The isolation prevented any potential secondary payloads or malicious code from executing in production systems.
Stage 2: Code deconstruction & debugging
The team methodically reverse-engineered the decryptor application, decompiling the executable and mapping out its flawed logic. This process required expertise in:
- NTRUEncrypt Implementation: Understanding how the post-quantum algorithm was applied and where key management occurred
- ChaCha20-Poly1305 Decryption: Analyzing symmetric cipher implementation and identifying authentication failures
- Multi-threaded Decryption Logic: Examining how the tool handled parallel decryption operations and where thread synchronization failed
- File System Operations: Identifying bugs in file reading, writing, and extension handling
Through detailed debugging, the team identified specific code errors preventing proper decryption. These included improper key handling, thread race conditions, and file pointer management failures, all indicative of hastily written criminal software.
Stage 3: Recompiling a functional tool
After identifying the critical bugs, the DFIR team corrected the threat actor’s code and compiled a new, functional decryptor. The process involved:
- Fixing key derivation and handling routines
- Correcting multi-threaded decryption synchronization
- Repairing file system operations and extension restoration
- Adding error handling and logging for transparency
Before any production deployment, the team rigorously tested the corrected decryptor on sample encrypted files, validating both efficacy and safety. Multiple test iterations ensured no data corruption would occur during actual restoration.
Stage 4: Managed data restoration
Once validated, the corrected decryptor was deployed across the client’s Proxmox environment. The team carefully managed the entire restoration process, monitoring for anomalies and verifying data integrity at each stage.
The restoration proceeded methodically through each virtual machine, with continuous validation ensuring completeness and accuracy. The team maintained constant communication with the client, providing progress updates and addressing concerns in real-time.
The results
By correcting the threat actors’ own coding mistakes, the DFIR team transformed a complete disaster into full business recovery.
- 100% data recovery across all encrypted systems
- Zero data loss from the failed decryptor incident
- Minimal additional downtime during the custom recovery process
- Complete business continuity restoration, allowing normal operations to resume
- Preserved data integrity across all virtual machines and containers
This case represents one of the first documented instances of successfully repairing and deploying a faulty post-quantum ransomware decryption tool.
Prevention and mitigation
- Implement Immutable Backups: Ensure backup data cannot be altered or deleted for a defined retention period. Store backups offline or in cloud services with object lock enabled. Rancoz specifically targets backup systems, making immutability critical.
- Network Segmentation: Isolate virtualization hosts from general network access. Implement strict access controls and require multi-factor authentication for all administrative access to Proxmox, VMware, or other virtualization platforms.
- Endpoint Detection and Response (EDR): Deploy EDR solutions capable of detecting ransomware behaviors, including mass file encryption, shadow copy deletion, and registry modifications. Configure EDR to automatically quarantine suspicious executables.
- Regular Security Assessments: Conduct penetration testing specifically targeting virtualization infrastructure. Identify and remediate vulnerabilities before attackers exploit them.
- Incident Response Planning: Document exact procedures, decision-makers, and expert contacts for rapid response. Include specialized digital forensics teams capable of handling complex scenarios beyond standard incident response.
- Employee Training: Since many ransomware attacks begin with phishing, ensure staff can identify and report suspicious emails, attachments, and links.
The technical reality of post-quantum ransomware
NTRUEncrypt provides legitimate security benefits when properly implemented. The algorithm’s resistance to both classical and quantum attacks makes it suitable for long-term data protection. However, in ransomware applications, this same strength becomes a liability for victims.
The mathematical complexity of NTRUEncrypt creates a perception of impossibility. Victims believe recovery without the key is fundamentally impossible. While the encryption itself is robust, the implementation by criminal actors often contains flaws.
As quantum computing advances and post-quantum cryptography becomes standardized, ransomware will increasingly incorporate these algorithms.
Organizations must prepare now by:
- Building crypto-agility into security infrastructure
- Developing relationships with experts who understand advanced cryptographic implementations
- Implementing defense-in-depth strategies that prevent initial compromise
- Maintaining immutable backups that remain accessible regardless of encryption sophistication
Frequently Asked Questions
What is post-quantum ransomware, and is it a threat today?
Post-quantum ransomware refers to ransomware that uses post-quantum cryptography. These are new encryption algorithms designed to be secure even against an attack from a future, powerful quantum computer.
While ransomware using true PQC is not yet common, the cryptographic landscape is preparing for this shift. The immediate threat isn’t that a quantum computer will hack you tomorrow, but that attackers may begin using these advanced encryption methods, making recovery without a key even more difficult. The best defense remains a robust, multi-layered security strategy, as a strong backup plan is effective regardless of the encryption type.
What is Proxmox, and why is it a primary ransomware target?
Proxmox Virtual Environment (VE) is a powerful, open-source platform for managing virtual machines (VMs) and containers. Attackers target it because of its efficiency; by compromising a single Proxmox host server, they can simultaneously encrypt the virtual disks of dozens or even hundreds of guest VMs. This maximizes their impact and creates immense pressure on the organization to pay the ransom, as it cripples multiple systems at once.
Are my standard Proxmox backups enough to recover?
Not always. Attackers are well aware of standard backup configurations and actively target them. If your Proxmox Backup Server or backup storage is accessible from the compromised Proxmox host, the attackers will encrypt or delete your backups before encrypting your VMs.
To be effective, your backup strategy must include immutability (backups cannot be altered or deleted for a set period) or an air-gapped/offline copy. This ensures you have a clean, untouchable version of your data for recovery.
Can you recover data without the decryption key?
In many cases, yes. Proven Data uses multiple ransomware decryption and recovery methods, including exploiting encryption vulnerabilities, data reconstruction techniques, and forensic file carving. Our success depends on factors like the ransomware variant, backup availability, and how quickly we’re contacted after the attack.
How can I prepare my Proxmox environment for the threat of post-quantum ransomware?
While quantum computers capable of breaking current encryption aren’t widely available yet, the “harvest now, decrypt later” strategy is a real threat. Attackers can steal your encrypted Proxmox data today and wait until a quantum computer is available to decrypt it. The best preparation is to focus on prevention and crypto-agility.
- Strengthen Foundational Security: The security measures, like MFA, network segmentation, and immutable backups, are your best defense, as they prevent the initial breach regardless of the encryption type used.
- Develop an Incident Response Plan: Know exactly who to call and what steps to take the moment an attack is detected to minimize damage.
- Stay Informed: Monitor developments in PQC and be prepared to adopt new, quantum-resistant security standards as they become available for infrastructure like VPNs and data-at-rest encryption.
