SYMBOLCOMMON_NAMEaka. SYNONYMS
win.thunderx (Back to overview)

ThunderX

aka: Ranzy Locker

Ransomware.

References
2022-01-19MandiantAdrian Sanchez Hernandez, Paul Tarter, Ervin James Ocampo
@online{hernandez:20220119:one:b4b3bf7, author = {Adrian Sanchez Hernandez and Paul Tarter and Ervin James Ocampo}, title = {{One Source to Rule Them All: Chasing AVADDON Ransomware}}, date = {2022-01-19}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/chasing-avaddon-ransomware}, language = {English}, urldate = {2022-01-24} } One Source to Rule Them All: Chasing AVADDON Ransomware
BlackMatter Avaddon BlackMatter MedusaLocker SystemBC ThunderX
2021-10-28PICUS SecuritySüleyman Özarslan
@online{zarslan:20211028:detailed:641820b, author = {Süleyman Özarslan}, title = {{A Detailed Walkthrough of Ranzy Locker Ransomware TTPs}}, date = {2021-10-28}, organization = {PICUS Security}, url = {https://www.picussecurity.com/resource/blog/a-detailed-walkthrough-of-ranzy-locker-ransomware-ttps}, language = {English}, urldate = {2021-11-03} } A Detailed Walkthrough of Ranzy Locker Ransomware TTPs
ThunderX
2021-10-25FBIFBI
@techreport{fbi:20211025:cu000153mw:f4b0c29, author = {FBI}, title = {{CU-000153-MW: Indicators of Compromise Associated with Ranzy Locker Ransomware}}, date = {2021-10-25}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2021/211026.pdf}, language = {English}, urldate = {2021-11-03} } CU-000153-MW: Indicators of Compromise Associated with Ranzy Locker Ransomware
ThunderX
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-06Cyborg SecurityBrandon Denker
@online{denker:20210506:ransomware:a1f31df, author = {Brandon Denker}, title = {{Ransomware: Hunting for Inhibiting System Backup or Recovery}}, date = {2021-05-06}, organization = {Cyborg Security}, url = {https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/}, language = {English}, urldate = {2021-05-08} } Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX
2020-11-18SentinelOneJim Walter
@online{walter:20201118:ranzy:b1f443f, author = {Jim Walter}, title = {{Ranzy Ransomware | Better Encryption Among New Features of ThunderX Derivative}}, date = {2020-11-18}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/}, language = {English}, urldate = {2020-11-19} } Ranzy Ransomware | Better Encryption Among New Features of ThunderX Derivative
ThunderX
2020-11-16Intel 471Intel 471
@online{471:20201116:ransomwareasaservice:11a5a8b, author = {Intel 471}, title = {{Ransomware-as-a-service: The pandemic within a pandemic}}, date = {2020-11-16}, organization = {Intel 471}, url = {https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/}, language = {English}, urldate = {2020-11-17} } Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX
2020-10-16Bleeping ComputerLawrence Abrams
@online{abrams:20201016:thunderx:7e8ece8, author = {Lawrence Abrams}, title = {{ThunderX Ransomware rebrands as Ranzy Locker, adds data leak site}}, date = {2020-10-16}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/thunderx-ransomware-rebrands-as-ranzy-locker-adds-data-leak-site/}, language = {English}, urldate = {2020-10-23} } ThunderX Ransomware rebrands as Ranzy Locker, adds data leak site
ThunderX
2020-08-18ID RansomwareAndrew Ivanov
@online{ivanov:20200818:thunderx:0d8f847, author = {Andrew Ivanov}, title = {{ThunderX Ransomware}}, date = {2020-08-18}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/08/thunderx-ransomware.html}, language = {English}, urldate = {2020-09-15} } ThunderX Ransomware
ThunderX
Yara Rules
[TLP:WHITE] win_thunderx_auto (20220808 | Detects win.thunderx.)
rule win_thunderx_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.thunderx."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.thunderx"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b4510 81784820014200 7409 ff7048 e8???????? 59 c70701000000 }
            // n = 7, score = 200
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   81784820014200       | cmp                 dword ptr [eax + 0x48], 0x420120
            //   7409                 | je                  0xb
            //   ff7048               | push                dword ptr [eax + 0x48]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   c70701000000         | mov                 dword ptr [edi], 1

        $sequence_1 = { 8d8ddcfdffff e8???????? 33ff 8d4d94 c645fc02 e8???????? }
            // n = 6, score = 200
            //   8d8ddcfdffff         | lea                 ecx, [ebp - 0x224]
            //   e8????????           |                     
            //   33ff                 | xor                 edi, edi
            //   8d4d94               | lea                 ecx, [ebp - 0x6c]
            //   c645fc02             | mov                 byte ptr [ebp - 4], 2
            //   e8????????           |                     

        $sequence_2 = { 894508 8a02 42 88443dec 47 8a6dee 8a4dec }
            // n = 7, score = 200
            //   894508               | mov                 dword ptr [ebp + 8], eax
            //   8a02                 | mov                 al, byte ptr [edx]
            //   42                   | inc                 edx
            //   88443dec             | mov                 byte ptr [ebp + edi - 0x14], al
            //   47                   | inc                 edi
            //   8a6dee               | mov                 ch, byte ptr [ebp - 0x12]
            //   8a4dec               | mov                 cl, byte ptr [ebp - 0x14]

        $sequence_3 = { 83e03f c1f906 6bc038 03048d701b4200 50 ff15???????? 5d }
            // n = 7, score = 200
            //   83e03f               | and                 eax, 0x3f
            //   c1f906               | sar                 ecx, 6
            //   6bc038               | imul                eax, eax, 0x38
            //   03048d701b4200       | add                 eax, dword ptr [ecx*4 + 0x421b70]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   5d                   | pop                 ebp

        $sequence_4 = { 33db 8ac3 e8???????? c3 55 8bec }
            // n = 6, score = 200
            //   33db                 | xor                 ebx, ebx
            //   8ac3                 | mov                 al, bl
            //   e8????????           |                     
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp

        $sequence_5 = { c20400 8b09 85c9 0f8501000000 c3 55 }
            // n = 6, score = 200
            //   c20400               | ret                 4
            //   8b09                 | mov                 ecx, dword ptr [ecx]
            //   85c9                 | test                ecx, ecx
            //   0f8501000000         | jne                 7
            //   c3                   | ret                 
            //   55                   | push                ebp

        $sequence_6 = { 8d4dac e8???????? c645fc03 8d857cffffff 837d9008 ff758c 0f43857cffffff }
            // n = 7, score = 200
            //   8d4dac               | lea                 ecx, [ebp - 0x54]
            //   e8????????           |                     
            //   c645fc03             | mov                 byte ptr [ebp - 4], 3
            //   8d857cffffff         | lea                 eax, [ebp - 0x84]
            //   837d9008             | cmp                 dword ptr [ebp - 0x70], 8
            //   ff758c               | push                dword ptr [ebp - 0x74]
            //   0f43857cffffff       | cmovae              eax, dword ptr [ebp - 0x84]

        $sequence_7 = { 33ff 47 897dfc 837db400 0f8429010000 68???????? }
            // n = 6, score = 200
            //   33ff                 | xor                 edi, edi
            //   47                   | inc                 edi
            //   897dfc               | mov                 dword ptr [ebp - 4], edi
            //   837db400             | cmp                 dword ptr [ebp - 0x4c], 0
            //   0f8429010000         | je                  0x12f
            //   68????????           |                     

        $sequence_8 = { 8b442424 81c70000a000 13c3 89442424 3b442414 0f8c49ffffff }
            // n = 6, score = 200
            //   8b442424             | mov                 eax, dword ptr [esp + 0x24]
            //   81c70000a000         | add                 edi, 0xa00000
            //   13c3                 | adc                 eax, ebx
            //   89442424             | mov                 dword ptr [esp + 0x24], eax
            //   3b442414             | cmp                 eax, dword ptr [esp + 0x14]
            //   0f8c49ffffff         | jl                  0xffffff4f

        $sequence_9 = { 837dbc18 750c 33c9 0fb6db 41 397da8 0f44d9 }
            // n = 7, score = 200
            //   837dbc18             | cmp                 dword ptr [ebp - 0x44], 0x18
            //   750c                 | jne                 0xe
            //   33c9                 | xor                 ecx, ecx
            //   0fb6db               | movzx               ebx, bl
            //   41                   | inc                 ecx
            //   397da8               | cmp                 dword ptr [ebp - 0x58], edi
            //   0f44d9               | cmove               ebx, ecx

    condition:
        7 of them and filesize < 319488
}
[TLP:WHITE] win_thunderx_w0   (20200915 | Rule to dettect tthe ThunderX ransomware family)
import "pe"

rule win_thunderx_w0 {
   meta:
      description = "Rule to dettect tthe ThunderX ransomware family"
      author = "Christiaan Beek @ McAfee ATR team"
      date = "2020-09-14"
      rule_version = "v1"
      malware_type = "ransomware"
      malware_family = "Ransomware:W32/ThunderX"
      actor_type = "Cybercrime"
      actor_group = "Unknown"
      hash1 = "7bab5dedef124803668580a59b6bf3c53cc31150d19591567397bbc131b9ccb6"
      hash2 = "0fbfdb8340108fafaca4c5ff4d3c9f9a2296efeb9ae89fcd9210e3d4c7239666"
      hash3 = "7527459500109b3bb48665236c5c5cb2ec71ba789867ad2b6417b38b9a46615e"
      source = "https://github.com/advanced-threat-research/Yara-Rules/blob/master/ransomware/Ransom_ThunderX.yar"
      malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.thunderx"
      malpedia_rule_date = "20200915"
      malpedia_hash = ""
      malpedia_version = "20200915"
      malpedia_license = "CC BY-SA 4.0"
      malpedia_sharing = "TLP:WHITE"

   strings:
   
      $pattern1 = "626364656469742E657865202F736574207B64656661756C747D20626F6F74737461747573706F6C6963792069676E6F7265616C6C6661696C75726573" 
     
      $s3 = "776261646D696E2044454C4554452053595354454D53544154454241434B5550202D64656C6574654F6C64657374" ascii
      $s4 = "626364656469742E657865202F736574207B64656661756C747D207265636F76657279656E61626C6564204E6F" ascii 
      $s5 = "776261646D696E2044454C4554452053595354454D53544154454241434B5550" ascii 
      $s6 = "433A5C50726F6772616D2046696C65732028783836295C4D6963726F736F66742053514C20536572766572" ascii 
      $s7 = "476C6F62616C5C33353335354641352D303745392D343238422D423541352D314338384341423242343838" ascii 
      $s8 = "433A5C50726F6772616D2046696C65735C4D6963726F736F66742053514C20536572766572" ascii 
      $s9 = "76737361646D696E2E6578652044656C65746520536861646F7773202F416C6C202F5175696574" ascii 
      $s10 = "776D69632E65786520534841444F57434F5059202F6E6F696E746572616374697665" ascii 
      $s11 = "534F4654574152455C4D6963726F736F66745C45524944" ascii 
      $s12 = "AppPolicyGetProcessTerminationMethod" fullword ascii
      $s13 = "7B5041545445524E5F49447D" ascii 
      $s14 = "726561646D652E747874" ascii 
      $s15 = "226E6574776F726B223A22" ascii 
      $s16 = "227375626964223A22" ascii 
      $s17 = "226C616E67223A22" ascii 
      $s18 = "22657874223A22" ascii 
      $s19 = "69642E6B6579" ascii 
      $s20 = "7B5549447D" ascii 

      $seq0 = { eb 34 66 0f 12 0d 10 c4 41 00 f2 0f 59 c1 ba cc }
      $seq1 = { 6a 07 50 e8 51 ff ff ff 8d 86 d0 }
      $seq2 = { ff 15 34 81 41 00 eb 15 83 f8 fc 75 10 8b 45 f4 }
   condition:
      ( uint16(0) == 0x5a4d and filesize < 400KB and pe.imphash() == "ea7e408cd2a264fd13492973e97d8d70" and $pattern1 and 4 of them ) and all of ($seq*) or ( all of them )
}
Download all Yara Rules