SYMBOLCOMMON_NAMEaka. SYNONYMS
win.thunderx (Back to overview)

ThunderX

aka: Ranzy Locker

Ransomware.

References
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-06Cyborg SecurityBrandon Denker
@online{denker:20210506:ransomware:a1f31df, author = {Brandon Denker}, title = {{Ransomware: Hunting for Inhibiting System Backup or Recovery}}, date = {2021-05-06}, organization = {Cyborg Security}, url = {https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/}, language = {English}, urldate = {2021-05-08} } Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX
2020-11-18SentinelOneJim Walter
@online{walter:20201118:ranzy:b1f443f, author = {Jim Walter}, title = {{Ranzy Ransomware | Better Encryption Among New Features of ThunderX Derivative}}, date = {2020-11-18}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/}, language = {English}, urldate = {2020-11-19} } Ranzy Ransomware | Better Encryption Among New Features of ThunderX Derivative
ThunderX
2020-11-16Intel 471Intel 471
@online{471:20201116:ransomwareasaservice:11a5a8b, author = {Intel 471}, title = {{Ransomware-as-a-service: The pandemic within a pandemic}}, date = {2020-11-16}, organization = {Intel 471}, url = {https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/}, language = {English}, urldate = {2020-11-17} } Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX
2020-10-16Bleeping ComputerLawrence Abrams
@online{abrams:20201016:thunderx:7e8ece8, author = {Lawrence Abrams}, title = {{ThunderX Ransomware rebrands as Ranzy Locker, adds data leak site}}, date = {2020-10-16}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/thunderx-ransomware-rebrands-as-ranzy-locker-adds-data-leak-site/}, language = {English}, urldate = {2020-10-23} } ThunderX Ransomware rebrands as Ranzy Locker, adds data leak site
ThunderX
2020-08-18ID RansomwareAndrew Ivanov
@online{ivanov:20200818:thunderx:0d8f847, author = {Andrew Ivanov}, title = {{ThunderX Ransomware}}, date = {2020-08-18}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/08/thunderx-ransomware.html}, language = {English}, urldate = {2020-09-15} } ThunderX Ransomware
ThunderX
Yara Rules
[TLP:WHITE] win_thunderx_auto (20211008 | Detects win.thunderx.)
rule win_thunderx_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.thunderx."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.thunderx"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { a3???????? 8b4104 a3???????? 8b4108 }
            // n = 4, score = 200
            //   a3????????           |                     
            //   8b4104               | mov                 eax, dword ptr [ecx + 4]
            //   a3????????           |                     
            //   8b4108               | mov                 eax, dword ptr [ecx + 8]

        $sequence_1 = { ff15???????? 51 50 8d4dd4 }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   51                   | push                ecx
            //   50                   | push                eax
            //   8d4dd4               | lea                 ecx, dword ptr [ebp - 0x2c]

        $sequence_2 = { e8???????? e8???????? 8d4c240c e8???????? }
            // n = 4, score = 200
            //   e8????????           |                     
            //   e8????????           |                     
            //   8d4c240c             | lea                 ecx, dword ptr [esp + 0xc]
            //   e8????????           |                     

        $sequence_3 = { 8845d5 8b45b0 895db8 c745d801000000 8b0485701b4200 8945d0 81f9e9fd0000 }
            // n = 7, score = 200
            //   8845d5               | mov                 byte ptr [ebp - 0x2b], al
            //   8b45b0               | mov                 eax, dword ptr [ebp - 0x50]
            //   895db8               | mov                 dword ptr [ebp - 0x48], ebx
            //   c745d801000000       | mov                 dword ptr [ebp - 0x28], 1
            //   8b0485701b4200       | mov                 eax, dword ptr [eax*4 + 0x421b70]
            //   8945d0               | mov                 dword ptr [ebp - 0x30], eax
            //   81f9e9fd0000         | cmp                 ecx, 0xfde9

        $sequence_4 = { 59 1adb 59 fec3 eb02 32db e8???????? }
            // n = 7, score = 200
            //   59                   | pop                 ecx
            //   1adb                 | sbb                 bl, bl
            //   59                   | pop                 ecx
            //   fec3                 | inc                 bl
            //   eb02                 | jmp                 4
            //   32db                 | xor                 bl, bl
            //   e8????????           |                     

        $sequence_5 = { 8d4d90 e8???????? 833d????????00 0f8420040000 a1???????? 8d4ded 6a0a }
            // n = 7, score = 200
            //   8d4d90               | lea                 ecx, dword ptr [ebp - 0x70]
            //   e8????????           |                     
            //   833d????????00       |                     
            //   0f8420040000         | je                  0x426
            //   a1????????           |                     
            //   8d4ded               | lea                 ecx, dword ptr [ebp - 0x13]
            //   6a0a                 | push                0xa

        $sequence_6 = { e8???????? 8d4c243c e8???????? ba???????? 8d4c2424 }
            // n = 5, score = 200
            //   e8????????           |                     
            //   8d4c243c             | lea                 ecx, dword ptr [esp + 0x3c]
            //   e8????????           |                     
            //   ba????????           |                     
            //   8d4c2424             | lea                 ecx, dword ptr [esp + 0x24]

        $sequence_7 = { 03c9 e8???????? 5d c20400 e8???????? cc }
            // n = 6, score = 200
            //   03c9                 | add                 ecx, ecx
            //   e8????????           |                     
            //   5d                   | pop                 ebp
            //   c20400               | ret                 4
            //   e8????????           |                     
            //   cc                   | int3                

        $sequence_8 = { 33c0 40 e9???????? 8365c000 c745c47c964000 a1???????? 8d4dc0 }
            // n = 7, score = 200
            //   33c0                 | xor                 eax, eax
            //   40                   | inc                 eax
            //   e9????????           |                     
            //   8365c000             | and                 dword ptr [ebp - 0x40], 0
            //   c745c47c964000       | mov                 dword ptr [ebp - 0x3c], 0x40967c
            //   a1????????           |                     
            //   8d4dc0               | lea                 ecx, dword ptr [ebp - 0x40]

        $sequence_9 = { c3 55 8bec 51 8b4214 53 8b5a10 }
            // n = 7, score = 200
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   51                   | push                ecx
            //   8b4214               | mov                 eax, dword ptr [edx + 0x14]
            //   53                   | push                ebx
            //   8b5a10               | mov                 ebx, dword ptr [edx + 0x10]

    condition:
        7 of them and filesize < 319488
}
[TLP:WHITE] win_thunderx_w0   (20200915 | Rule to dettect tthe ThunderX ransomware family)
import "pe"

rule win_thunderx_w0 {
   meta:
      description = "Rule to dettect tthe ThunderX ransomware family"
      author = "Christiaan Beek @ McAfee ATR team"
      date = "2020-09-14"
      rule_version = "v1"
      malware_type = "ransomware"
      malware_family = "Ransomware:W32/ThunderX"
      actor_type = "Cybercrime"
      actor_group = "Unknown"
      hash1 = "7bab5dedef124803668580a59b6bf3c53cc31150d19591567397bbc131b9ccb6"
      hash2 = "0fbfdb8340108fafaca4c5ff4d3c9f9a2296efeb9ae89fcd9210e3d4c7239666"
      hash3 = "7527459500109b3bb48665236c5c5cb2ec71ba789867ad2b6417b38b9a46615e"
      source = "https://github.com/advanced-threat-research/Yara-Rules/blob/master/ransomware/Ransom_ThunderX.yar"
      malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.thunderx"
      malpedia_rule_date = "20200915"
      malpedia_hash = ""
      malpedia_version = "20200915"
      malpedia_license = "CC BY-SA 4.0"
      malpedia_sharing = "TLP:WHITE"

   strings:
   
      $pattern1 = "626364656469742E657865202F736574207B64656661756C747D20626F6F74737461747573706F6C6963792069676E6F7265616C6C6661696C75726573" 
     
      $s3 = "776261646D696E2044454C4554452053595354454D53544154454241434B5550202D64656C6574654F6C64657374" ascii
      $s4 = "626364656469742E657865202F736574207B64656661756C747D207265636F76657279656E61626C6564204E6F" ascii 
      $s5 = "776261646D696E2044454C4554452053595354454D53544154454241434B5550" ascii 
      $s6 = "433A5C50726F6772616D2046696C65732028783836295C4D6963726F736F66742053514C20536572766572" ascii 
      $s7 = "476C6F62616C5C33353335354641352D303745392D343238422D423541352D314338384341423242343838" ascii 
      $s8 = "433A5C50726F6772616D2046696C65735C4D6963726F736F66742053514C20536572766572" ascii 
      $s9 = "76737361646D696E2E6578652044656C65746520536861646F7773202F416C6C202F5175696574" ascii 
      $s10 = "776D69632E65786520534841444F57434F5059202F6E6F696E746572616374697665" ascii 
      $s11 = "534F4654574152455C4D6963726F736F66745C45524944" ascii 
      $s12 = "AppPolicyGetProcessTerminationMethod" fullword ascii
      $s13 = "7B5041545445524E5F49447D" ascii 
      $s14 = "726561646D652E747874" ascii 
      $s15 = "226E6574776F726B223A22" ascii 
      $s16 = "227375626964223A22" ascii 
      $s17 = "226C616E67223A22" ascii 
      $s18 = "22657874223A22" ascii 
      $s19 = "69642E6B6579" ascii 
      $s20 = "7B5549447D" ascii 

      $seq0 = { eb 34 66 0f 12 0d 10 c4 41 00 f2 0f 59 c1 ba cc }
      $seq1 = { 6a 07 50 e8 51 ff ff ff 8d 86 d0 }
      $seq2 = { ff 15 34 81 41 00 eb 15 83 f8 fc 75 10 8b 45 f4 }
   condition:
      ( uint16(0) == 0x5a4d and filesize < 400KB and pe.imphash() == "ea7e408cd2a264fd13492973e97d8d70" and $pattern1 and 4 of them ) and all of ($seq*) or ( all of them )
}
Download all Yara Rules