SYMBOLCOMMON_NAMEaka. SYNONYMS
win.thunderx (Back to overview)

ThunderX

aka: Ranzy Locker
VTCollection    

Ransomware.

References
2022-01-19MandiantAdrian Sanchez Hernandez, Ervin James Ocampo, Paul Tarter
One Source to Rule Them All: Chasing AVADDON Ransomware
BlackMatter Avaddon BlackMatter MedusaLocker SystemBC ThunderX
2021-10-28PICUS SecuritySüleyman Özarslan
A Detailed Walkthrough of Ranzy Locker Ransomware TTPs
ThunderX
2021-10-25FBIFBI
CU-000153-MW: Indicators of Compromise Associated with Ranzy Locker Ransomware
ThunderX
2021-05-10DarkTracerDarkTracer
Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-06Cyborg SecurityBrandon Denker
Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX
2020-11-18SentinelOneJim Walter
Ranzy Ransomware | Better Encryption Among New Features of ThunderX Derivative
ThunderX
2020-11-16Intel 471Intel 471
Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX
2020-10-16Bleeping ComputerLawrence Abrams
ThunderX Ransomware rebrands as Ranzy Locker, adds data leak site
ThunderX
2020-08-18ID RansomwareAndrew Ivanov
ThunderX Ransomware
ThunderX
Yara Rules
[TLP:WHITE] win_thunderx_auto (20241030 | Detects win.thunderx.)
rule win_thunderx_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.thunderx."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.thunderx"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b4598 03c1 894d8c 6a0d 50 e8???????? 33f8 }
            // n = 7, score = 200
            //   8b4598               | mov                 eax, dword ptr [ebp - 0x68]
            //   03c1                 | add                 eax, ecx
            //   894d8c               | mov                 dword ptr [ebp - 0x74], ecx
            //   6a0d                 | push                0xd
            //   50                   | push                eax
            //   e8????????           |                     
            //   33f8                 | xor                 edi, eax

        $sequence_1 = { 57 b9???????? e8???????? 83f8ff 7413 837e1410 7202 }
            // n = 7, score = 200
            //   57                   | push                edi
            //   b9????????           |                     
            //   e8????????           |                     
            //   83f8ff               | cmp                 eax, -1
            //   7413                 | je                  0x15
            //   837e1410             | cmp                 dword ptr [esi + 0x14], 0x10
            //   7202                 | jb                  4

        $sequence_2 = { e8???????? 83c618 3b742428 75f0 8d4c2424 e8???????? e8???????? }
            // n = 7, score = 200
            //   e8????????           |                     
            //   83c618               | add                 esi, 0x18
            //   3b742428             | cmp                 esi, dword ptr [esp + 0x28]
            //   75f0                 | jne                 0xfffffff2
            //   8d4c2424             | lea                 ecx, [esp + 0x24]
            //   e8????????           |                     
            //   e8????????           |                     

        $sequence_3 = { e8???????? 83c618 8975c0 eb0d 57 56 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   83c618               | add                 esi, 0x18
            //   8975c0               | mov                 dword ptr [ebp - 0x40], esi
            //   eb0d                 | jmp                 0xf
            //   57                   | push                edi
            //   56                   | push                esi

        $sequence_4 = { 8b36 53 56 ff7710 50 e8???????? 5e }
            // n = 7, score = 200
            //   8b36                 | mov                 esi, dword ptr [esi]
            //   53                   | push                ebx
            //   56                   | push                esi
            //   ff7710               | push                dword ptr [edi + 0x10]
            //   50                   | push                eax
            //   e8????????           |                     
            //   5e                   | pop                 esi

        $sequence_5 = { 50 ff15???????? 85c0 0f85b7000000 837e1408 7202 8b36 }
            // n = 7, score = 200
            //   50                   | push                eax
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f85b7000000         | jne                 0xbd
            //   837e1408             | cmp                 dword ptr [esi + 0x14], 8
            //   7202                 | jb                  4
            //   8b36                 | mov                 esi, dword ptr [esi]

        $sequence_6 = { 56 57 6a66 50 ff15???????? 51 50 }
            // n = 7, score = 200
            //   56                   | push                esi
            //   57                   | push                edi
            //   6a66                 | push                0x66
            //   50                   | push                eax
            //   ff15????????         |                     
            //   51                   | push                ecx
            //   50                   | push                eax

        $sequence_7 = { e8???????? eb24 8d4de0 e8???????? }
            // n = 4, score = 200
            //   e8????????           |                     
            //   eb24                 | jmp                 0x26
            //   8d4de0               | lea                 ecx, [ebp - 0x20]
            //   e8????????           |                     

        $sequence_8 = { 8932 897204 897208 5e 5d c20400 6a18 }
            // n = 7, score = 200
            //   8932                 | mov                 dword ptr [edx], esi
            //   897204               | mov                 dword ptr [edx + 4], esi
            //   897208               | mov                 dword ptr [edx + 8], esi
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c20400               | ret                 4
            //   6a18                 | push                0x18

        $sequence_9 = { 57 8955fc 8b7a14 8bc7 8b7210 2bc6 }
            // n = 6, score = 200
            //   57                   | push                edi
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   8b7a14               | mov                 edi, dword ptr [edx + 0x14]
            //   8bc7                 | mov                 eax, edi
            //   8b7210               | mov                 esi, dword ptr [edx + 0x10]
            //   2bc6                 | sub                 eax, esi

    condition:
        7 of them and filesize < 319488
}
[TLP:WHITE] win_thunderx_w0   (20200915 | Rule to dettect tthe ThunderX ransomware family)
import "pe"

rule win_thunderx_w0 {
   meta:
      description = "Rule to dettect tthe ThunderX ransomware family"
      author = "Christiaan Beek @ McAfee ATR team"
      date = "2020-09-14"
      rule_version = "v1"
      malware_type = "ransomware"
      malware_family = "Ransomware:W32/ThunderX"
      actor_type = "Cybercrime"
      actor_group = "Unknown"
      hash1 = "7bab5dedef124803668580a59b6bf3c53cc31150d19591567397bbc131b9ccb6"
      hash2 = "0fbfdb8340108fafaca4c5ff4d3c9f9a2296efeb9ae89fcd9210e3d4c7239666"
      hash3 = "7527459500109b3bb48665236c5c5cb2ec71ba789867ad2b6417b38b9a46615e"
      source = "https://github.com/advanced-threat-research/Yara-Rules/blob/master/ransomware/Ransom_ThunderX.yar"
      malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.thunderx"
      malpedia_rule_date = "20200915"
      malpedia_hash = ""
      malpedia_version = "20200915"
      malpedia_license = "CC BY-SA 4.0"
      malpedia_sharing = "TLP:WHITE"

   strings:
   
      $pattern1 = "626364656469742E657865202F736574207B64656661756C747D20626F6F74737461747573706F6C6963792069676E6F7265616C6C6661696C75726573" 
     
      $s3 = "776261646D696E2044454C4554452053595354454D53544154454241434B5550202D64656C6574654F6C64657374" ascii
      $s4 = "626364656469742E657865202F736574207B64656661756C747D207265636F76657279656E61626C6564204E6F" ascii 
      $s5 = "776261646D696E2044454C4554452053595354454D53544154454241434B5550" ascii 
      $s6 = "433A5C50726F6772616D2046696C65732028783836295C4D6963726F736F66742053514C20536572766572" ascii 
      $s7 = "476C6F62616C5C33353335354641352D303745392D343238422D423541352D314338384341423242343838" ascii 
      $s8 = "433A5C50726F6772616D2046696C65735C4D6963726F736F66742053514C20536572766572" ascii 
      $s9 = "76737361646D696E2E6578652044656C65746520536861646F7773202F416C6C202F5175696574" ascii 
      $s10 = "776D69632E65786520534841444F57434F5059202F6E6F696E746572616374697665" ascii 
      $s11 = "534F4654574152455C4D6963726F736F66745C45524944" ascii 
      $s12 = "AppPolicyGetProcessTerminationMethod" fullword ascii
      $s13 = "7B5041545445524E5F49447D" ascii 
      $s14 = "726561646D652E747874" ascii 
      $s15 = "226E6574776F726B223A22" ascii 
      $s16 = "227375626964223A22" ascii 
      $s17 = "226C616E67223A22" ascii 
      $s18 = "22657874223A22" ascii 
      $s19 = "69642E6B6579" ascii 
      $s20 = "7B5549447D" ascii 

      $seq0 = { eb 34 66 0f 12 0d 10 c4 41 00 f2 0f 59 c1 ba cc }
      $seq1 = { 6a 07 50 e8 51 ff ff ff 8d 86 d0 }
      $seq2 = { ff 15 34 81 41 00 eb 15 83 f8 fc 75 10 8b 45 f4 }
   condition:
      ( uint16(0) == 0x5a4d and filesize < 400KB and pe.imphash() == "ea7e408cd2a264fd13492973e97d8d70" and $pattern1 and 4 of them ) and all of ($seq*) or ( all of them )
}
Download all Yara Rules