Rancoz Ransomware: Technical Analysis and Recovery Case Study

Key takeaways:

• Rancoz ransomware uses NTRUEncrypt (post-quantum) combined with ChaCha20-Poly1305 cipher for file encryption.
• Threat actors are targeting virtualization platforms, particularly Proxmox environments, for maximum impact.
• Proven Data achieved complete recovery is possible even when official decryptors malfunction.

Rancoz payloads share code similarities with Vice Society’s custom-branded ransomware strains, though no firm evidence establishes a direct relationship between the groups. Analysis suggests the same developer likely created Rancoz along with related variants, including Buddy ransomware, based on identical compilation dates and similar code structure.

Rancoz attackers target large enterprises without clear exclusion zones for industries such as medical or educational institutions. Documented victims span multiple countries, including the United States, Canada, India, France, and Lithuania, across various industry sectors.

The ransomware particularly threatens organizations running virtualization infrastructure. By compromising a single Proxmox host server, attackers can simultaneously encrypt dozens or hundreds of guest virtual machines, maximizing operational disruption and ransom pressure.

Rancoz achieves file encryption using a combination of NTRUEncrypt (asymmetric) and the ChaCha20-Poly1305 cipher (symmetric). This hybrid approach provides both security and performance:

• NTRUEncrypt (Post-Quantum Algorithm): NTRUEncrypt is a lattice-based cryptographic system designed to resist attacks from both classical and quantum computers. By implementing this algorithm, Rancoz creates a psychological barrier in which victims perceive the encryption as mathematically unbreakable, driving faster ransom payment decisions.
• ChaCha20-Poly1305 (Symmetric Cipher): This modern authenticated encryption algorithm provides fast file encryption while maintaining strong security. The combination allows Rancoz to quickly encrypt large volumes of data while protecting encryption keys with post-quantum algorithms.

Upon execution, Rancoz enumerates all local drives and attempts to encrypt all available file types unless attackers specify otherwise using command-line parameters. The ransomware adds a “.rec_rans” extension to encrypted files and leaves a ransom note labeled “HOW_TO_RECOVERY_FILES.txt”.

When launched, Rancoz payloads display a visible command window showing current encryption status, volume enumeration, command-line parameter usage, or error messages.

Rancoz employs several techniques to prevent recovery and maintain persistence:

• Volume Shadow Copy Deletion: The ransomware deletes shadow copies by executing “/c vssadmin.exe Delete Shadows /All /Quiet”, making standard file recovery extremely difficult.
• Remote Desktop Protocol Disruption: Rancoz deletes the registry key “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default” while resetting “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers“. These modifications disrupt RDP and Terminal Server connectivity, potentially preventing victims from connecting to remote servers for file recovery.
• Visual Intimidation: The ransomware replaces the desktop background by modifying the registry to display a dropped file called “noise.bmp”, ensuring victims immediately see the ransom demand.
• Selective Encryption: Rancoz payloads contain lists of file extensions and folder names to exclude from encryption, ensuring system stability while maximizing pressure on victims.

The following commands are observed during Rancoz execution:

• Remove Volume Shadow Copies

C:\Windows\system32\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

• Disrupt Remote Desktop/Terminal Server

reg delete “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default” /va /f

reg delete “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers” /f

reg add “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers”

• Remove RDP Settings and Event Logs

attrib Default.rdp -s -h

del Default.rdp

for /F “tokens=*” %1 in (‘wevtutil.exe el’) DO wevtutil.exe cl “%1”

A company running critical operations on Proxmox virtualization infrastructure fell victim to Rancoz ransomware. With operations completely halted and facing immense business pressure, the organization made the difficult decision to pay the ransom. The threat actors provided a decryption tool, but it failed to function properly.

The organization now faced a catastrophic scenario: financial loss from the ransom payment combined with continued data inaccessibility. Without a functioning decryption capability, total business loss appeared inevitable.

“Threat actors deploy sloppy, vibe-coded ransomware that uses post-quantum, but the backend is often unstable,” explained Hassan Faraz, the ransomware recovery expert who led the recovery effort at Proven Data.

Unlike standard data recovery involving hardware failure or accidental deletion, this case required reverse-engineering software written by cybercriminals, an unprecedented challenge combining forensic expertise, advanced programming knowledge, and cryptographic understanding.

“This wasn’t a typical ransomware recovery case. We essentially had to become the developers for the threat actor’s broken software,” stated Hassan Faraz.

Proven Data’s Digital Forensics and Incident Response (DFIR) team isolated the faulty decryptor in a sandboxed environment. This secure workspace allowed comprehensive analysis without risking the client’s remaining infrastructure or causing additional data corruption. The isolation prevented any potential secondary payloads or malicious code from executing in production systems.

The team methodically reverse-engineered the decryptor application, decompiling the executable and mapping out its flawed logic. This process required expertise in:

• NTRUEncrypt Implementation: Understanding how the post-quantum algorithm was applied and where key management occurred
• ChaCha20-Poly1305 Decryption: Analyzing symmetric cipher implementation and identifying authentication failures
• Multi-threaded Decryption Logic: Examining how the tool handled parallel decryption operations and where thread synchronization failed
• File System Operations: Identifying bugs in file reading, writing, and extension handling

Through detailed debugging, the team identified specific code errors preventing proper decryption. These included improper key handling, thread race conditions, and file pointer management failures, all indicative of hastily written criminal software.

After identifying the critical bugs, the DFIR team corrected the threat actor’s code and compiled a new, functional decryptor. The process involved:

• Fixing key derivation and handling routines
• Correcting multi-threaded decryption synchronization
• Repairing file system operations and extension restoration
• Adding error handling and logging for transparency

Before any production deployment, the team rigorously tested the corrected decryptor on sample encrypted files, validating both efficacy and safety. Multiple test iterations ensured no data corruption would occur during actual restoration.

Once validated, the corrected decryptor was deployed across the client’s Proxmox environment. The team carefully managed the entire restoration process, monitoring for anomalies and verifying data integrity at each stage.

The restoration proceeded methodically through each virtual machine, with continuous validation ensuring completeness and accuracy. The team maintained constant communication with the client, providing progress updates and addressing concerns in real-time.

By correcting the threat actors’ own coding mistakes, the DFIR team transformed a complete disaster into full business recovery.

• 100% data recovery across all encrypted systems
• Zero data loss from the failed decryptor incident
• Minimal additional downtime during the custom recovery process
• Complete business continuity restoration, allowing normal operations to resume
• Preserved data integrity across all virtual machines and containers

This case represents one of the first documented instances of successfully repairing and deploying a faulty post-quantum ransomware decryption tool.

• Implement Immutable Backups: Ensure backup data cannot be altered or deleted for a defined retention period. Store backups offline or in cloud services with object lock enabled. Rancoz specifically targets backup systems, making immutability critical.
• Network Segmentation: Isolate virtualization hosts from general network access. Implement strict access controls and require multi-factor authentication for all administrative access to Proxmox, VMware, or other virtualization platforms.
• Endpoint Detection and Response (EDR): Deploy EDR solutions capable of detecting ransomware behaviors, including mass file encryption, shadow copy deletion, and registry modifications. Configure EDR to automatically quarantine suspicious executables.
• Regular Security Assessments: Conduct penetration testing specifically targeting virtualization infrastructure. Identify and remediate vulnerabilities before attackers exploit them.
• Incident Response Planning: Document exact procedures, decision-makers, and expert contacts for rapid response. Include specialized digital forensics teams capable of handling complex scenarios beyond standard incident response.
• Employee Training: Since many ransomware attacks begin with phishing, ensure staff can identify and report suspicious emails, attachments, and links.

NTRUEncrypt provides legitimate security benefits when properly implemented. The algorithm’s resistance to both classical and quantum attacks makes it suitable for long-term data protection. However, in ransomware applications, this same strength becomes a liability for victims.

The mathematical complexity of NTRUEncrypt creates a perception of impossibility. Victims believe recovery without the key is fundamentally impossible. While the encryption itself is robust, the implementation by criminal actors often contains flaws.

As quantum computing advances and post-quantum cryptography becomes standardized, ransomware will increasingly incorporate these algorithms. 

Organizations must prepare now by:

• Building crypto-agility into security infrastructure
• Developing relationships with experts who understand advanced cryptographic implementations
• Implementing defense-in-depth strategies that prevent initial compromise
• Maintaining immutable backups that remain accessible regardless of encryption sophistication

Post-quantum ransomware refers to ransomware that uses post-quantum cryptography. These are new encryption algorithms designed to be secure even against an attack from a future, powerful quantum computer.

While ransomware using true PQC is not yet common, the cryptographic landscape is preparing for this shift. The immediate threat isn’t that a quantum computer will hack you tomorrow, but that attackers may begin using these advanced encryption methods, making recovery without a key even more difficult. The best defense remains a robust, multi-layered security strategy, as a strong backup plan is effective regardless of the encryption type.

Proxmox Virtual Environment (VE) is a powerful, open-source platform for managing virtual machines (VMs) and containers. Attackers target it because of its efficiency; by compromising a single Proxmox host server, they can simultaneously encrypt the virtual disks of dozens or even hundreds of guest VMs. This maximizes their impact and creates immense pressure on the organization to pay the ransom, as it cripples multiple systems at once.

Not always. Attackers are well aware of standard backup configurations and actively target them. If your Proxmox Backup Server or backup storage is accessible from the compromised Proxmox host, the attackers will encrypt or delete your backups before encrypting your VMs.

To be effective, your backup strategy must include immutability (backups cannot be altered or deleted for a set period) or an air-gapped/offline copy. This ensures you have a clean, untouchable version of your data for recovery.

In many cases, yes. Proven Data uses multiple ransomware decryption and recovery methods, including exploiting encryption vulnerabilities, data reconstruction techniques, and forensic file carving. Our success depends on factors like the ransomware variant, backup availability, and how quickly we’re contacted after the attack.

While quantum computers capable of breaking current encryption aren’t widely available yet, the “harvest now, decrypt later” strategy is a real threat. Attackers can steal your encrypted Proxmox data today and wait until a quantum computer is available to decrypt it. The best preparation is to focus on prevention and crypto-agility.

• Strengthen Foundational Security: The security measures, like MFA, network segmentation, and immutable backups, are your best defense, as they prevent the initial breach regardless of the encryption type used.
• Develop an Incident Response Plan: Know exactly who to call and what steps to take the moment an attack is detected to minimize damage.
• Stay Informed: Monitor developments in PQC and be prepared to adopt new, quantum-resistant security standards as they become available for infrastructure like VPNs and data-at-rest encryption.

If you suspect data loss or network breach, or are looking for ways to compile digital evidence through forensics and eDiscovery services – our team can help.

Our expert advisor will contact you to schedule your free consultation.

You’ll receive a customized proposal or quote for approval.

Our specialized team immediately jumps into action, as time is critical.