SYMBOLCOMMON_NAMEaka. SYNONYMS
win.thunderx (Back to overview)

ThunderX

aka: Ranzy Locker

Ransomware.

References
2022-01-19MandiantAdrian Sanchez Hernandez, Paul Tarter, Ervin James Ocampo
@online{hernandez:20220119:one:b4b3bf7, author = {Adrian Sanchez Hernandez and Paul Tarter and Ervin James Ocampo}, title = {{One Source to Rule Them All: Chasing AVADDON Ransomware}}, date = {2022-01-19}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/chasing-avaddon-ransomware}, language = {English}, urldate = {2022-01-24} } One Source to Rule Them All: Chasing AVADDON Ransomware
BlackMatter Avaddon BlackMatter MedusaLocker SystemBC ThunderX
2021-10-28PICUS SecuritySüleyman Özarslan
@online{zarslan:20211028:detailed:641820b, author = {Süleyman Özarslan}, title = {{A Detailed Walkthrough of Ranzy Locker Ransomware TTPs}}, date = {2021-10-28}, organization = {PICUS Security}, url = {https://www.picussecurity.com/resource/blog/a-detailed-walkthrough-of-ranzy-locker-ransomware-ttps}, language = {English}, urldate = {2021-11-03} } A Detailed Walkthrough of Ranzy Locker Ransomware TTPs
ThunderX
2021-10-25FBIFBI
@techreport{fbi:20211025:cu000153mw:f4b0c29, author = {FBI}, title = {{CU-000153-MW: Indicators of Compromise Associated with Ranzy Locker Ransomware}}, date = {2021-10-25}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2021/211026.pdf}, language = {English}, urldate = {2021-11-03} } CU-000153-MW: Indicators of Compromise Associated with Ranzy Locker Ransomware
ThunderX
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-06Cyborg SecurityBrandon Denker
@online{denker:20210506:ransomware:a1f31df, author = {Brandon Denker}, title = {{Ransomware: Hunting for Inhibiting System Backup or Recovery}}, date = {2021-05-06}, organization = {Cyborg Security}, url = {https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/}, language = {English}, urldate = {2021-05-08} } Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX
2020-11-18SentinelOneJim Walter
@online{walter:20201118:ranzy:b1f443f, author = {Jim Walter}, title = {{Ranzy Ransomware | Better Encryption Among New Features of ThunderX Derivative}}, date = {2020-11-18}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/}, language = {English}, urldate = {2020-11-19} } Ranzy Ransomware | Better Encryption Among New Features of ThunderX Derivative
ThunderX
2020-11-16Intel 471Intel 471
@online{471:20201116:ransomwareasaservice:11a5a8b, author = {Intel 471}, title = {{Ransomware-as-a-service: The pandemic within a pandemic}}, date = {2020-11-16}, organization = {Intel 471}, url = {https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/}, language = {English}, urldate = {2020-11-17} } Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX
2020-10-16Bleeping ComputerLawrence Abrams
@online{abrams:20201016:thunderx:7e8ece8, author = {Lawrence Abrams}, title = {{ThunderX Ransomware rebrands as Ranzy Locker, adds data leak site}}, date = {2020-10-16}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/thunderx-ransomware-rebrands-as-ranzy-locker-adds-data-leak-site/}, language = {English}, urldate = {2020-10-23} } ThunderX Ransomware rebrands as Ranzy Locker, adds data leak site
ThunderX
2020-08-18ID RansomwareAndrew Ivanov
@online{ivanov:20200818:thunderx:0d8f847, author = {Andrew Ivanov}, title = {{ThunderX Ransomware}}, date = {2020-08-18}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/08/thunderx-ransomware.html}, language = {English}, urldate = {2020-09-15} } ThunderX Ransomware
ThunderX
Yara Rules
[TLP:WHITE] win_thunderx_auto (20230407 | Detects win.thunderx.)
rule win_thunderx_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.thunderx."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.thunderx"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 395710 7507 32c0 e9???????? 837f1410 8bc7 8955fc }
            // n = 7, score = 200
            //   395710               | cmp                 dword ptr [edi + 0x10], edx
            //   7507                 | jne                 9
            //   32c0                 | xor                 al, al
            //   e9????????           |                     
            //   837f1410             | cmp                 dword ptr [edi + 0x14], 0x10
            //   8bc7                 | mov                 eax, edi
            //   8955fc               | mov                 dword ptr [ebp - 4], edx

        $sequence_1 = { 8b550c 8d045a 3bc1 7617 }
            // n = 4, score = 200
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]
            //   8d045a               | lea                 eax, [edx + ebx*2]
            //   3bc1                 | cmp                 eax, ecx
            //   7617                 | jbe                 0x19

        $sequence_2 = { 897318 8d7b1c 33c0 ab 53 6a01 }
            // n = 6, score = 200
            //   897318               | mov                 dword ptr [ebx + 0x18], esi
            //   8d7b1c               | lea                 edi, [ebx + 0x1c]
            //   33c0                 | xor                 eax, eax
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   53                   | push                ebx
            //   6a01                 | push                1

        $sequence_3 = { 83e4f8 81ec14010000 a1???????? 33c4 89842410010000 8b4510 89442408 }
            // n = 7, score = 200
            //   83e4f8               | and                 esp, 0xfffffff8
            //   81ec14010000         | sub                 esp, 0x114
            //   a1????????           |                     
            //   33c4                 | xor                 eax, esp
            //   89842410010000       | mov                 dword ptr [esp + 0x110], eax
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   89442408             | mov                 dword ptr [esp + 8], eax

        $sequence_4 = { 8b4048 f00fc118 4b 7515 8b4510 81784820014200 7409 }
            // n = 7, score = 200
            //   8b4048               | mov                 eax, dword ptr [eax + 0x48]
            //   f00fc118             | lock xadd           dword ptr [eax], ebx
            //   4b                   | dec                 ebx
            //   7515                 | jne                 0x17
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   81784820014200       | cmp                 dword ptr [eax + 0x48], 0x420120
            //   7409                 | je                  0xb

        $sequence_5 = { 8d4dd8 7407 e8???????? eb50 e8???????? 6a30 8bf0 }
            // n = 7, score = 200
            //   8d4dd8               | lea                 ecx, [ebp - 0x28]
            //   7407                 | je                  9
            //   e8????????           |                     
            //   eb50                 | jmp                 0x52
            //   e8????????           |                     
            //   6a30                 | push                0x30
            //   8bf0                 | mov                 esi, eax

        $sequence_6 = { 5b 5f 5d c20800 6a38 b8???????? e8???????? }
            // n = 7, score = 200
            //   5b                   | pop                 ebx
            //   5f                   | pop                 edi
            //   5d                   | pop                 ebp
            //   c20800               | ret                 8
            //   6a38                 | push                0x38
            //   b8????????           |                     
            //   e8????????           |                     

        $sequence_7 = { a1???????? 83c0e4 83781408 7202 8b00 53 }
            // n = 6, score = 200
            //   a1????????           |                     
            //   83c0e4               | add                 eax, -0x1c
            //   83781408             | cmp                 dword ptr [eax + 0x14], 8
            //   7202                 | jb                  4
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   53                   | push                ebx

        $sequence_8 = { 55 8bec 8bd1 8b4d08 57 8b4214 8b7a10 }
            // n = 7, score = 200
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   8bd1                 | mov                 edx, ecx
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   57                   | push                edi
            //   8b4214               | mov                 eax, dword ptr [edx + 0x14]
            //   8b7a10               | mov                 edi, dword ptr [edx + 0x10]

        $sequence_9 = { 8d7608 660fd60f 8d7f08 8b048dc49f4000 ffe0 f7c703000000 }
            // n = 6, score = 200
            //   8d7608               | lea                 esi, [esi + 8]
            //   660fd60f             | movq                qword ptr [edi], xmm1
            //   8d7f08               | lea                 edi, [edi + 8]
            //   8b048dc49f4000       | mov                 eax, dword ptr [ecx*4 + 0x409fc4]
            //   ffe0                 | jmp                 eax
            //   f7c703000000         | test                edi, 3

    condition:
        7 of them and filesize < 319488
}
[TLP:WHITE] win_thunderx_w0   (20200915 | Rule to dettect tthe ThunderX ransomware family)
import "pe"

rule win_thunderx_w0 {
   meta:
      description = "Rule to dettect tthe ThunderX ransomware family"
      author = "Christiaan Beek @ McAfee ATR team"
      date = "2020-09-14"
      rule_version = "v1"
      malware_type = "ransomware"
      malware_family = "Ransomware:W32/ThunderX"
      actor_type = "Cybercrime"
      actor_group = "Unknown"
      hash1 = "7bab5dedef124803668580a59b6bf3c53cc31150d19591567397bbc131b9ccb6"
      hash2 = "0fbfdb8340108fafaca4c5ff4d3c9f9a2296efeb9ae89fcd9210e3d4c7239666"
      hash3 = "7527459500109b3bb48665236c5c5cb2ec71ba789867ad2b6417b38b9a46615e"
      source = "https://github.com/advanced-threat-research/Yara-Rules/blob/master/ransomware/Ransom_ThunderX.yar"
      malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.thunderx"
      malpedia_rule_date = "20200915"
      malpedia_hash = ""
      malpedia_version = "20200915"
      malpedia_license = "CC BY-SA 4.0"
      malpedia_sharing = "TLP:WHITE"

   strings:
   
      $pattern1 = "626364656469742E657865202F736574207B64656661756C747D20626F6F74737461747573706F6C6963792069676E6F7265616C6C6661696C75726573" 
     
      $s3 = "776261646D696E2044454C4554452053595354454D53544154454241434B5550202D64656C6574654F6C64657374" ascii
      $s4 = "626364656469742E657865202F736574207B64656661756C747D207265636F76657279656E61626C6564204E6F" ascii 
      $s5 = "776261646D696E2044454C4554452053595354454D53544154454241434B5550" ascii 
      $s6 = "433A5C50726F6772616D2046696C65732028783836295C4D6963726F736F66742053514C20536572766572" ascii 
      $s7 = "476C6F62616C5C33353335354641352D303745392D343238422D423541352D314338384341423242343838" ascii 
      $s8 = "433A5C50726F6772616D2046696C65735C4D6963726F736F66742053514C20536572766572" ascii 
      $s9 = "76737361646D696E2E6578652044656C65746520536861646F7773202F416C6C202F5175696574" ascii 
      $s10 = "776D69632E65786520534841444F57434F5059202F6E6F696E746572616374697665" ascii 
      $s11 = "534F4654574152455C4D6963726F736F66745C45524944" ascii 
      $s12 = "AppPolicyGetProcessTerminationMethod" fullword ascii
      $s13 = "7B5041545445524E5F49447D" ascii 
      $s14 = "726561646D652E747874" ascii 
      $s15 = "226E6574776F726B223A22" ascii 
      $s16 = "227375626964223A22" ascii 
      $s17 = "226C616E67223A22" ascii 
      $s18 = "22657874223A22" ascii 
      $s19 = "69642E6B6579" ascii 
      $s20 = "7B5549447D" ascii 

      $seq0 = { eb 34 66 0f 12 0d 10 c4 41 00 f2 0f 59 c1 ba cc }
      $seq1 = { 6a 07 50 e8 51 ff ff ff 8d 86 d0 }
      $seq2 = { ff 15 34 81 41 00 eb 15 83 f8 fc 75 10 8b 45 f4 }
   condition:
      ( uint16(0) == 0x5a4d and filesize < 400KB and pe.imphash() == "ea7e408cd2a264fd13492973e97d8d70" and $pattern1 and 4 of them ) and all of ($seq*) or ( all of them )
}
Download all Yara Rules