SYMBOLCOMMON_NAMEaka. SYNONYMS
win.thunderx (Back to overview)

ThunderX

aka: Ranzy Locker
VTCollection    

Ransomware.

References
2022-01-19MandiantAdrian Sanchez Hernandez, Ervin James Ocampo, Paul Tarter
One Source to Rule Them All: Chasing AVADDON Ransomware
BlackMatter Avaddon BlackMatter MedusaLocker SystemBC ThunderX
2021-10-28PICUS SecuritySüleyman Özarslan
A Detailed Walkthrough of Ranzy Locker Ransomware TTPs
ThunderX
2021-10-25FBIFBI
CU-000153-MW: Indicators of Compromise Associated with Ranzy Locker Ransomware
ThunderX
2021-05-10DarkTracerDarkTracer
Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-06Cyborg SecurityBrandon Denker
Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX
2020-11-18SentinelOneJim Walter
Ranzy Ransomware | Better Encryption Among New Features of ThunderX Derivative
ThunderX
2020-11-16Intel 471Intel 471
Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX
2020-10-16Bleeping ComputerLawrence Abrams
ThunderX Ransomware rebrands as Ranzy Locker, adds data leak site
ThunderX
2020-08-18ID RansomwareAndrew Ivanov
ThunderX Ransomware
ThunderX
Yara Rules
[TLP:WHITE] win_thunderx_auto (20230808 | Detects win.thunderx.)
rule win_thunderx_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.thunderx."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.thunderx"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 e8???????? c9 c3 c705????????58004200 b001 c3 }
            // n = 7, score = 200
            //   50                   | push                eax
            //   e8????????           |                     
            //   c9                   | leave               
            //   c3                   | ret                 
            //   c705????????58004200     |     
            //   b001                 | mov                 al, 1
            //   c3                   | ret                 

        $sequence_1 = { b9???????? e8???????? 0fb60d???????? 84c0 6a01 58 0f45c8 }
            // n = 7, score = 200
            //   b9????????           |                     
            //   e8????????           |                     
            //   0fb60d????????       |                     
            //   84c0                 | test                al, al
            //   6a01                 | push                1
            //   58                   | pop                 eax
            //   0f45c8               | cmovne              ecx, eax

        $sequence_2 = { 51 53 8b5d10 8bd1 56 57 8955fc }
            // n = 7, score = 200
            //   51                   | push                ecx
            //   53                   | push                ebx
            //   8b5d10               | mov                 ebx, dword ptr [ebp + 0x10]
            //   8bd1                 | mov                 edx, ecx
            //   56                   | push                esi
            //   57                   | push                edi
            //   8955fc               | mov                 dword ptr [ebp - 4], edx

        $sequence_3 = { 8d8d9cfbffff e8???????? 8d8d84fbffff e8???????? 8d8d6cfbffff e8???????? }
            // n = 6, score = 200
            //   8d8d9cfbffff         | lea                 ecx, [ebp - 0x464]
            //   e8????????           |                     
            //   8d8d84fbffff         | lea                 ecx, [ebp - 0x47c]
            //   e8????????           |                     
            //   8d8d6cfbffff         | lea                 ecx, [ebp - 0x494]
            //   e8????????           |                     

        $sequence_4 = { 6a02 8d44241c 895c2424 50 53 53 }
            // n = 6, score = 200
            //   6a02                 | push                2
            //   8d44241c             | lea                 eax, [esp + 0x1c]
            //   895c2424             | mov                 dword ptr [esp + 0x24], ebx
            //   50                   | push                eax
            //   53                   | push                ebx
            //   53                   | push                ebx

        $sequence_5 = { e8???????? 84c0 7558 83c718 3b7da0 75ea 8d4de0 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   7558                 | jne                 0x5a
            //   83c718               | add                 edi, 0x18
            //   3b7da0               | cmp                 edi, dword ptr [ebp - 0x60]
            //   75ea                 | jne                 0xffffffec
            //   8d4de0               | lea                 ecx, [ebp - 0x20]

        $sequence_6 = { 89459c 8945a0 e8???????? 84c0 0f858d000000 395f10 }
            // n = 6, score = 200
            //   89459c               | mov                 dword ptr [ebp - 0x64], eax
            //   8945a0               | mov                 dword ptr [ebp - 0x60], eax
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   0f858d000000         | jne                 0x93
            //   395f10               | cmp                 dword ptr [edi + 0x10], ebx

        $sequence_7 = { 03d1 8b0c85701b4200 8a0433 43 88440a2e 8b4dd8 8b55b4 }
            // n = 7, score = 200
            //   03d1                 | add                 edx, ecx
            //   8b0c85701b4200       | mov                 ecx, dword ptr [eax*4 + 0x421b70]
            //   8a0433               | mov                 al, byte ptr [ebx + esi]
            //   43                   | inc                 ebx
            //   88440a2e             | mov                 byte ptr [edx + ecx + 0x2e], al
            //   8b4dd8               | mov                 ecx, dword ptr [ebp - 0x28]
            //   8b55b4               | mov                 edx, dword ptr [ebp - 0x4c]

        $sequence_8 = { 8932 897204 897208 5e 5d c20400 6a18 }
            // n = 7, score = 200
            //   8932                 | mov                 dword ptr [edx], esi
            //   897204               | mov                 dword ptr [edx + 4], esi
            //   897208               | mov                 dword ptr [edx + 8], esi
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c20400               | ret                 4
            //   6a18                 | push                0x18

        $sequence_9 = { 8d8dd0fdffff e8???????? 8d4dac c645fc06 }
            // n = 4, score = 200
            //   8d8dd0fdffff         | lea                 ecx, [ebp - 0x230]
            //   e8????????           |                     
            //   8d4dac               | lea                 ecx, [ebp - 0x54]
            //   c645fc06             | mov                 byte ptr [ebp - 4], 6

    condition:
        7 of them and filesize < 319488
}
[TLP:WHITE] win_thunderx_w0   (20200915 | Rule to dettect tthe ThunderX ransomware family)
import "pe"

rule win_thunderx_w0 {
   meta:
      description = "Rule to dettect tthe ThunderX ransomware family"
      author = "Christiaan Beek @ McAfee ATR team"
      date = "2020-09-14"
      rule_version = "v1"
      malware_type = "ransomware"
      malware_family = "Ransomware:W32/ThunderX"
      actor_type = "Cybercrime"
      actor_group = "Unknown"
      hash1 = "7bab5dedef124803668580a59b6bf3c53cc31150d19591567397bbc131b9ccb6"
      hash2 = "0fbfdb8340108fafaca4c5ff4d3c9f9a2296efeb9ae89fcd9210e3d4c7239666"
      hash3 = "7527459500109b3bb48665236c5c5cb2ec71ba789867ad2b6417b38b9a46615e"
      source = "https://github.com/advanced-threat-research/Yara-Rules/blob/master/ransomware/Ransom_ThunderX.yar"
      malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.thunderx"
      malpedia_rule_date = "20200915"
      malpedia_hash = ""
      malpedia_version = "20200915"
      malpedia_license = "CC BY-SA 4.0"
      malpedia_sharing = "TLP:WHITE"

   strings:
   
      $pattern1 = "626364656469742E657865202F736574207B64656661756C747D20626F6F74737461747573706F6C6963792069676E6F7265616C6C6661696C75726573" 
     
      $s3 = "776261646D696E2044454C4554452053595354454D53544154454241434B5550202D64656C6574654F6C64657374" ascii
      $s4 = "626364656469742E657865202F736574207B64656661756C747D207265636F76657279656E61626C6564204E6F" ascii 
      $s5 = "776261646D696E2044454C4554452053595354454D53544154454241434B5550" ascii 
      $s6 = "433A5C50726F6772616D2046696C65732028783836295C4D6963726F736F66742053514C20536572766572" ascii 
      $s7 = "476C6F62616C5C33353335354641352D303745392D343238422D423541352D314338384341423242343838" ascii 
      $s8 = "433A5C50726F6772616D2046696C65735C4D6963726F736F66742053514C20536572766572" ascii 
      $s9 = "76737361646D696E2E6578652044656C65746520536861646F7773202F416C6C202F5175696574" ascii 
      $s10 = "776D69632E65786520534841444F57434F5059202F6E6F696E746572616374697665" ascii 
      $s11 = "534F4654574152455C4D6963726F736F66745C45524944" ascii 
      $s12 = "AppPolicyGetProcessTerminationMethod" fullword ascii
      $s13 = "7B5041545445524E5F49447D" ascii 
      $s14 = "726561646D652E747874" ascii 
      $s15 = "226E6574776F726B223A22" ascii 
      $s16 = "227375626964223A22" ascii 
      $s17 = "226C616E67223A22" ascii 
      $s18 = "22657874223A22" ascii 
      $s19 = "69642E6B6579" ascii 
      $s20 = "7B5549447D" ascii 

      $seq0 = { eb 34 66 0f 12 0d 10 c4 41 00 f2 0f 59 c1 ba cc }
      $seq1 = { 6a 07 50 e8 51 ff ff ff 8d 86 d0 }
      $seq2 = { ff 15 34 81 41 00 eb 15 83 f8 fc 75 10 8b 45 f4 }
   condition:
      ( uint16(0) == 0x5a4d and filesize < 400KB and pe.imphash() == "ea7e408cd2a264fd13492973e97d8d70" and $pattern1 and 4 of them ) and all of ($seq*) or ( all of them )
}
Download all Yara Rules