SYMBOLCOMMON_NAMEaka. SYNONYMS
win.thunderx (Back to overview)

ThunderX

aka: Ranzy Locker

Ransomware.

References
2022-01-19MandiantAdrian Sanchez Hernandez, Paul Tarter, Ervin James Ocampo
@online{hernandez:20220119:one:b4b3bf7, author = {Adrian Sanchez Hernandez and Paul Tarter and Ervin James Ocampo}, title = {{One Source to Rule Them All: Chasing AVADDON Ransomware}}, date = {2022-01-19}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/chasing-avaddon-ransomware}, language = {English}, urldate = {2022-01-24} } One Source to Rule Them All: Chasing AVADDON Ransomware
BlackMatter Avaddon BlackMatter MedusaLocker SystemBC ThunderX
2021-10-28PICUS SecuritySüleyman Özarslan
@online{zarslan:20211028:detailed:641820b, author = {Süleyman Özarslan}, title = {{A Detailed Walkthrough of Ranzy Locker Ransomware TTPs}}, date = {2021-10-28}, organization = {PICUS Security}, url = {https://www.picussecurity.com/resource/blog/a-detailed-walkthrough-of-ranzy-locker-ransomware-ttps}, language = {English}, urldate = {2021-11-03} } A Detailed Walkthrough of Ranzy Locker Ransomware TTPs
ThunderX
2021-10-25FBIFBI
@techreport{fbi:20211025:cu000153mw:f4b0c29, author = {FBI}, title = {{CU-000153-MW: Indicators of Compromise Associated with Ranzy Locker Ransomware}}, date = {2021-10-25}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2021/211026.pdf}, language = {English}, urldate = {2021-11-03} } CU-000153-MW: Indicators of Compromise Associated with Ranzy Locker Ransomware
ThunderX
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-06Cyborg SecurityBrandon Denker
@online{denker:20210506:ransomware:a1f31df, author = {Brandon Denker}, title = {{Ransomware: Hunting for Inhibiting System Backup or Recovery}}, date = {2021-05-06}, organization = {Cyborg Security}, url = {https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/}, language = {English}, urldate = {2021-05-08} } Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX
2020-11-18SentinelOneJim Walter
@online{walter:20201118:ranzy:b1f443f, author = {Jim Walter}, title = {{Ranzy Ransomware | Better Encryption Among New Features of ThunderX Derivative}}, date = {2020-11-18}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/}, language = {English}, urldate = {2020-11-19} } Ranzy Ransomware | Better Encryption Among New Features of ThunderX Derivative
ThunderX
2020-11-16Intel 471Intel 471
@online{471:20201116:ransomwareasaservice:11a5a8b, author = {Intel 471}, title = {{Ransomware-as-a-service: The pandemic within a pandemic}}, date = {2020-11-16}, organization = {Intel 471}, url = {https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/}, language = {English}, urldate = {2020-11-17} } Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX
2020-10-16Bleeping ComputerLawrence Abrams
@online{abrams:20201016:thunderx:7e8ece8, author = {Lawrence Abrams}, title = {{ThunderX Ransomware rebrands as Ranzy Locker, adds data leak site}}, date = {2020-10-16}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/thunderx-ransomware-rebrands-as-ranzy-locker-adds-data-leak-site/}, language = {English}, urldate = {2020-10-23} } ThunderX Ransomware rebrands as Ranzy Locker, adds data leak site
ThunderX
2020-08-18ID RansomwareAndrew Ivanov
@online{ivanov:20200818:thunderx:0d8f847, author = {Andrew Ivanov}, title = {{ThunderX Ransomware}}, date = {2020-08-18}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/08/thunderx-ransomware.html}, language = {English}, urldate = {2020-09-15} } ThunderX Ransomware
ThunderX
Yara Rules
[TLP:WHITE] win_thunderx_auto (20230715 | Detects win.thunderx.)
rule win_thunderx_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.thunderx."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.thunderx"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { b9???????? 83f801 0f45ca 51 8d8d30ffffff e8???????? }
            // n = 6, score = 200
            //   b9????????           |                     
            //   83f801               | cmp                 eax, 1
            //   0f45ca               | cmovne              ecx, edx
            //   51                   | push                ecx
            //   8d8d30ffffff         | lea                 ecx, [ebp - 0xd0]
            //   e8????????           |                     

        $sequence_1 = { 0f847b010000 8d442410 895c2410 50 56 895c241c ff15???????? }
            // n = 7, score = 200
            //   0f847b010000         | je                  0x181
            //   8d442410             | lea                 eax, [esp + 0x10]
            //   895c2410             | mov                 dword ptr [esp + 0x10], ebx
            //   50                   | push                eax
            //   56                   | push                esi
            //   895c241c             | mov                 dword ptr [esp + 0x1c], ebx
            //   ff15????????         |                     

        $sequence_2 = { 57 53 56 897e10 e8???????? 83c40c 881c37 }
            // n = 7, score = 200
            //   57                   | push                edi
            //   53                   | push                ebx
            //   56                   | push                esi
            //   897e10               | mov                 dword ptr [esi + 0x10], edi
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   881c37               | mov                 byte ptr [edi + esi], bl

        $sequence_3 = { 68???????? 8d4dd4 e8???????? c645fc01 3b75e4 7713 }
            // n = 6, score = 200
            //   68????????           |                     
            //   8d4dd4               | lea                 ecx, [ebp - 0x2c]
            //   e8????????           |                     
            //   c645fc01             | mov                 byte ptr [ebp - 4], 1
            //   3b75e4               | cmp                 esi, dword ptr [ebp - 0x1c]
            //   7713                 | ja                  0x15

        $sequence_4 = { f7f9 8bce 6bd01c e8???????? 8b45fc 6bcb1c 893d???????? }
            // n = 7, score = 200
            //   f7f9                 | idiv                ecx
            //   8bce                 | mov                 ecx, esi
            //   6bd01c               | imul                edx, eax, 0x1c
            //   e8????????           |                     
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   6bcb1c               | imul                ecx, ebx, 0x1c
            //   893d????????         |                     

        $sequence_5 = { ff35???????? ff15???????? 8b75ec 85f6 74d3 85c0 74cf }
            // n = 7, score = 200
            //   ff35????????         |                     
            //   ff15????????         |                     
            //   8b75ec               | mov                 esi, dword ptr [ebp - 0x14]
            //   85f6                 | test                esi, esi
            //   74d3                 | je                  0xffffffd5
            //   85c0                 | test                eax, eax
            //   74cf                 | je                  0xffffffd1

        $sequence_6 = { be???????? c645fc07 56 8bd0 8d8d18ffffff e8???????? 59 }
            // n = 7, score = 200
            //   be????????           |                     
            //   c645fc07             | mov                 byte ptr [ebp - 4], 7
            //   56                   | push                esi
            //   8bd0                 | mov                 edx, eax
            //   8d8d18ffffff         | lea                 ecx, [ebp - 0xe8]
            //   e8????????           |                     
            //   59                   | pop                 ecx

        $sequence_7 = { 85c0 7412 8b7d98 8b459c eb10 8d4de4 e8???????? }
            // n = 7, score = 200
            //   85c0                 | test                eax, eax
            //   7412                 | je                  0x14
            //   8b7d98               | mov                 edi, dword ptr [ebp - 0x68]
            //   8b459c               | mov                 eax, dword ptr [ebp - 0x64]
            //   eb10                 | jmp                 0x12
            //   8d4de4               | lea                 ecx, [ebp - 0x1c]
            //   e8????????           |                     

        $sequence_8 = { 8b442424 81c70000a000 13c3 89442424 3b442414 0f8c49ffffff }
            // n = 6, score = 200
            //   8b442424             | mov                 eax, dword ptr [esp + 0x24]
            //   81c70000a000         | add                 edi, 0xa00000
            //   13c3                 | adc                 eax, ebx
            //   89442424             | mov                 dword ptr [esp + 0x24], eax
            //   3b442414             | cmp                 eax, dword ptr [esp + 0x14]
            //   0f8c49ffffff         | jl                  0xffffff4f

        $sequence_9 = { b8???????? e8???????? 803d????????00 7478 33ff 897dfc }
            // n = 6, score = 200
            //   b8????????           |                     
            //   e8????????           |                     
            //   803d????????00       |                     
            //   7478                 | je                  0x7a
            //   33ff                 | xor                 edi, edi
            //   897dfc               | mov                 dword ptr [ebp - 4], edi

    condition:
        7 of them and filesize < 319488
}
[TLP:WHITE] win_thunderx_w0   (20200915 | Rule to dettect tthe ThunderX ransomware family)
import "pe"

rule win_thunderx_w0 {
   meta:
      description = "Rule to dettect tthe ThunderX ransomware family"
      author = "Christiaan Beek @ McAfee ATR team"
      date = "2020-09-14"
      rule_version = "v1"
      malware_type = "ransomware"
      malware_family = "Ransomware:W32/ThunderX"
      actor_type = "Cybercrime"
      actor_group = "Unknown"
      hash1 = "7bab5dedef124803668580a59b6bf3c53cc31150d19591567397bbc131b9ccb6"
      hash2 = "0fbfdb8340108fafaca4c5ff4d3c9f9a2296efeb9ae89fcd9210e3d4c7239666"
      hash3 = "7527459500109b3bb48665236c5c5cb2ec71ba789867ad2b6417b38b9a46615e"
      source = "https://github.com/advanced-threat-research/Yara-Rules/blob/master/ransomware/Ransom_ThunderX.yar"
      malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.thunderx"
      malpedia_rule_date = "20200915"
      malpedia_hash = ""
      malpedia_version = "20200915"
      malpedia_license = "CC BY-SA 4.0"
      malpedia_sharing = "TLP:WHITE"

   strings:
   
      $pattern1 = "626364656469742E657865202F736574207B64656661756C747D20626F6F74737461747573706F6C6963792069676E6F7265616C6C6661696C75726573" 
     
      $s3 = "776261646D696E2044454C4554452053595354454D53544154454241434B5550202D64656C6574654F6C64657374" ascii
      $s4 = "626364656469742E657865202F736574207B64656661756C747D207265636F76657279656E61626C6564204E6F" ascii 
      $s5 = "776261646D696E2044454C4554452053595354454D53544154454241434B5550" ascii 
      $s6 = "433A5C50726F6772616D2046696C65732028783836295C4D6963726F736F66742053514C20536572766572" ascii 
      $s7 = "476C6F62616C5C33353335354641352D303745392D343238422D423541352D314338384341423242343838" ascii 
      $s8 = "433A5C50726F6772616D2046696C65735C4D6963726F736F66742053514C20536572766572" ascii 
      $s9 = "76737361646D696E2E6578652044656C65746520536861646F7773202F416C6C202F5175696574" ascii 
      $s10 = "776D69632E65786520534841444F57434F5059202F6E6F696E746572616374697665" ascii 
      $s11 = "534F4654574152455C4D6963726F736F66745C45524944" ascii 
      $s12 = "AppPolicyGetProcessTerminationMethod" fullword ascii
      $s13 = "7B5041545445524E5F49447D" ascii 
      $s14 = "726561646D652E747874" ascii 
      $s15 = "226E6574776F726B223A22" ascii 
      $s16 = "227375626964223A22" ascii 
      $s17 = "226C616E67223A22" ascii 
      $s18 = "22657874223A22" ascii 
      $s19 = "69642E6B6579" ascii 
      $s20 = "7B5549447D" ascii 

      $seq0 = { eb 34 66 0f 12 0d 10 c4 41 00 f2 0f 59 c1 ba cc }
      $seq1 = { 6a 07 50 e8 51 ff ff ff 8d 86 d0 }
      $seq2 = { ff 15 34 81 41 00 eb 15 83 f8 fc 75 10 8b 45 f4 }
   condition:
      ( uint16(0) == 0x5a4d and filesize < 400KB and pe.imphash() == "ea7e408cd2a264fd13492973e97d8d70" and $pattern1 and 4 of them ) and all of ($seq*) or ( all of them )
}
Download all Yara Rules