The ThunderX ransomware changed its name to "Ranzy Locker" and launched last week the data leak site "Ranzy Leak", which shames victims who refuse to pay ransom required by ransomware operators.
ThunderX is a ransomware company that started its activity at the end of last August. Shortly after she appeared in the landscape of threats, they were located errors to ransomware that allowed the release of a free cryptographer from Tesorion. The ransomware operators quickly fixed the bugs and released a new one version of ransomware called "Ranzy Locker".
Although the hackers changed the name of the ransomware they developed, the strings associated with a PDB debug file on executable ransomware appear to be the same as ThunderX.
MalwareHunterteam has discovered a sample of ransomware that shows some information about how ransomware works. When it starts, Ranzy Locker cleans it first Shadow Volume Copies, so that victims can not use it to recover the encrypted archives. When encrypting files, ransomware uses one Windows API called "Windows Restart Manager", which terminates processes or services that keep a file open and prevent it from being encrypted. For each encrypted file, ransomware adds the new extension .ranzy in the file name. For example, a file with a name 1.doc, is encrypted and renamed to 1.doc.ranzy.
In each traversed folder, ransomware creates a ransom note with the name Readme.txt, which contains information about what happened to data of the victim, a warning that his data was stolen as well as a link that refers the victim to a Tor site, where he can negotiate with the hackers who attacked him. In previous versions of ThunderX ransomware, its operators communicated with their victims through e-mail instead of using a special Tor site.
When a victim visits the Tor payment site, they receive a message that says "Locked by Ranzy Locker" as well as a live chat screen to start negotiations with them. hackers. As part of this "service", ransomware operators allow victims to decrypt three files for free to prove they can do so.
According to BleepingComputer, many ransomware gangs use a double-blackmail attack method, in which they steal unencrypted files from a victim before encrypting devices on a corporate network.
Using this method of attack, hackers push their victims to pay a ransom in two ways: claim that if the victims pay the ransom required, a) their files will be returned to them and b) their data will not be leaked.
It is noteworthy that the Tor onion URL used by the data leak site "Ranzy Leak" is the same as the one previously used by Ako ransomware. Using the same URL as Ako could mean that both gangs merged to form Ranzy Locker, or that they work together similarly to Maze cartel.