SYMBOLCOMMON_NAMEaka. SYNONYMS
win.thunderx (Back to overview)

ThunderX

aka: Ranzy Locker
VTCollection    

Ransomware.

References
2022-01-19MandiantAdrian Sanchez Hernandez, Ervin James Ocampo, Paul Tarter
One Source to Rule Them All: Chasing AVADDON Ransomware
BlackMatter Avaddon BlackMatter MedusaLocker SystemBC ThunderX
2021-10-28PICUS SecuritySüleyman Özarslan
A Detailed Walkthrough of Ranzy Locker Ransomware TTPs
ThunderX
2021-10-25FBIFBI
CU-000153-MW: Indicators of Compromise Associated with Ranzy Locker Ransomware
ThunderX
2021-05-10DarkTracerDarkTracer
Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-06Cyborg SecurityBrandon Denker
Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX
2020-11-18SentinelOneJim Walter
Ranzy Ransomware | Better Encryption Among New Features of ThunderX Derivative
ThunderX
2020-11-16Intel 471Intel 471
Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX
2020-10-16Bleeping ComputerLawrence Abrams
ThunderX Ransomware rebrands as Ranzy Locker, adds data leak site
ThunderX
2020-08-18ID RansomwareAndrew Ivanov
ThunderX Ransomware
ThunderX
Yara Rules
[TLP:WHITE] win_thunderx_auto (20251219 | Detects win.thunderx.)
rule win_thunderx_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-01-05"
        version = "1"
        description = "Detects win.thunderx."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.thunderx"
        malpedia_rule_date = "20260105"
        malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79"
        malpedia_version = "20251219"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 56 e8???????? 59 8d45b0 8bcf 50 e8???????? }
            // n = 7, score = 200
            //   56                   | push                esi
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8d45b0               | lea                 eax, [ebp - 0x50]
            //   8bcf                 | mov                 ecx, edi
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_1 = { 75f2 85c9 7509 3bc6 740b 83e802 ebd7 }
            // n = 7, score = 200
            //   75f2                 | jne                 0xfffffff4
            //   85c9                 | test                ecx, ecx
            //   7509                 | jne                 0xb
            //   3bc6                 | cmp                 eax, esi
            //   740b                 | je                  0xd
            //   83e802               | sub                 eax, 2
            //   ebd7                 | jmp                 0xffffffd9

        $sequence_2 = { 8bcb e8???????? 83c318 83c618 895de0 3bf7 75eb }
            // n = 7, score = 200
            //   8bcb                 | mov                 ecx, ebx
            //   e8????????           |                     
            //   83c318               | add                 ebx, 0x18
            //   83c618               | add                 esi, 0x18
            //   895de0               | mov                 dword ptr [ebp - 0x20], ebx
            //   3bf7                 | cmp                 esi, edi
            //   75eb                 | jne                 0xffffffed

        $sequence_3 = { 8b35???????? ffd6 ff75ec ffd6 b001 eb02 32c0 }
            // n = 7, score = 200
            //   8b35????????         |                     
            //   ffd6                 | call                esi
            //   ff75ec               | push                dword ptr [ebp - 0x14]
            //   ffd6                 | call                esi
            //   b001                 | mov                 al, 1
            //   eb02                 | jmp                 4
            //   32c0                 | xor                 al, al

        $sequence_4 = { 7462 8b44240c 3b05???????? 7556 8b442410 89442438 8b442414 }
            // n = 7, score = 200
            //   7462                 | je                  0x64
            //   8b44240c             | mov                 eax, dword ptr [esp + 0xc]
            //   3b05????????         |                     
            //   7556                 | jne                 0x58
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]
            //   89442438             | mov                 dword ptr [esp + 0x38], eax
            //   8b442414             | mov                 eax, dword ptr [esp + 0x14]

        $sequence_5 = { c3 6a54 b8???????? e8???????? 8bf9 897dac }
            // n = 6, score = 200
            //   c3                   | ret                 
            //   6a54                 | push                0x54
            //   b8????????           |                     
            //   e8????????           |                     
            //   8bf9                 | mov                 edi, ecx
            //   897dac               | mov                 dword ptr [ebp - 0x54], edi

        $sequence_6 = { 7415 ff15???????? 85c0 750b e8???????? 84c0 }
            // n = 6, score = 200
            //   7415                 | je                  0x17
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   750b                 | jne                 0xd
            //   e8????????           |                     
            //   84c0                 | test                al, al

        $sequence_7 = { 59 56 8bd0 885dfc 8d8d40feffff e8???????? 59 }
            // n = 7, score = 200
            //   59                   | pop                 ecx
            //   56                   | push                esi
            //   8bd0                 | mov                 edx, eax
            //   885dfc               | mov                 byte ptr [ebp - 4], bl
            //   8d8d40feffff         | lea                 ecx, [ebp - 0x1c0]
            //   e8????????           |                     
            //   59                   | pop                 ecx

        $sequence_8 = { e8???????? 8d8dc8fdffff e8???????? 8d8db0fdffff c645fc05 e8???????? }
            // n = 6, score = 200
            //   e8????????           |                     
            //   8d8dc8fdffff         | lea                 ecx, [ebp - 0x238]
            //   e8????????           |                     
            //   8d8db0fdffff         | lea                 ecx, [ebp - 0x250]
            //   c645fc05             | mov                 byte ptr [ebp - 4], 5
            //   e8????????           |                     

        $sequence_9 = { 8bfa 2b7d0c eb02 8bfe }
            // n = 4, score = 200
            //   8bfa                 | mov                 edi, edx
            //   2b7d0c               | sub                 edi, dword ptr [ebp + 0xc]
            //   eb02                 | jmp                 4
            //   8bfe                 | mov                 edi, esi

    condition:
        7 of them and filesize < 319488
}
[TLP:WHITE] win_thunderx_w0   (20200915 | Rule to dettect tthe ThunderX ransomware family)
import "pe"

rule win_thunderx_w0 {
   meta:
      description = "Rule to dettect tthe ThunderX ransomware family"
      author = "Christiaan Beek @ McAfee ATR team"
      date = "2020-09-14"
      rule_version = "v1"
      malware_type = "ransomware"
      malware_family = "Ransomware:W32/ThunderX"
      actor_type = "Cybercrime"
      actor_group = "Unknown"
      hash1 = "7bab5dedef124803668580a59b6bf3c53cc31150d19591567397bbc131b9ccb6"
      hash2 = "0fbfdb8340108fafaca4c5ff4d3c9f9a2296efeb9ae89fcd9210e3d4c7239666"
      hash3 = "7527459500109b3bb48665236c5c5cb2ec71ba789867ad2b6417b38b9a46615e"
      source = "https://github.com/advanced-threat-research/Yara-Rules/blob/master/ransomware/Ransom_ThunderX.yar"
      malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.thunderx"
      malpedia_rule_date = "20200915"
      malpedia_hash = ""
      malpedia_version = "20200915"
      malpedia_license = "CC BY-SA 4.0"
      malpedia_sharing = "TLP:WHITE"

   strings:
   
      $pattern1 = "626364656469742E657865202F736574207B64656661756C747D20626F6F74737461747573706F6C6963792069676E6F7265616C6C6661696C75726573" 
     
      $s3 = "776261646D696E2044454C4554452053595354454D53544154454241434B5550202D64656C6574654F6C64657374" ascii
      $s4 = "626364656469742E657865202F736574207B64656661756C747D207265636F76657279656E61626C6564204E6F" ascii 
      $s5 = "776261646D696E2044454C4554452053595354454D53544154454241434B5550" ascii 
      $s6 = "433A5C50726F6772616D2046696C65732028783836295C4D6963726F736F66742053514C20536572766572" ascii 
      $s7 = "476C6F62616C5C33353335354641352D303745392D343238422D423541352D314338384341423242343838" ascii 
      $s8 = "433A5C50726F6772616D2046696C65735C4D6963726F736F66742053514C20536572766572" ascii 
      $s9 = "76737361646D696E2E6578652044656C65746520536861646F7773202F416C6C202F5175696574" ascii 
      $s10 = "776D69632E65786520534841444F57434F5059202F6E6F696E746572616374697665" ascii 
      $s11 = "534F4654574152455C4D6963726F736F66745C45524944" ascii 
      $s12 = "AppPolicyGetProcessTerminationMethod" fullword ascii
      $s13 = "7B5041545445524E5F49447D" ascii 
      $s14 = "726561646D652E747874" ascii 
      $s15 = "226E6574776F726B223A22" ascii 
      $s16 = "227375626964223A22" ascii 
      $s17 = "226C616E67223A22" ascii 
      $s18 = "22657874223A22" ascii 
      $s19 = "69642E6B6579" ascii 
      $s20 = "7B5549447D" ascii 

      $seq0 = { eb 34 66 0f 12 0d 10 c4 41 00 f2 0f 59 c1 ba cc }
      $seq1 = { 6a 07 50 e8 51 ff ff ff 8d 86 d0 }
      $seq2 = { ff 15 34 81 41 00 eb 15 83 f8 fc 75 10 8b 45 f4 }
   condition:
      ( uint16(0) == 0x5a4d and filesize < 400KB and pe.imphash() == "ea7e408cd2a264fd13492973e97d8d70" and $pattern1 and 4 of them ) and all of ($seq*) or ( all of them )
}
Download all Yara Rules