Sunday, November 1, 10:49
Home security ThunderX ransomware: Rename and data leak site works!

ThunderX ransomware: Rename and data leak site works!

The ThunderX ransomware changed its name to "Ranzy Locker" and launched last week the data leak site "Ranzy Leak", which shames victims who refuse to pay ransom required by ransomware operators.

ThunderX is a ransomware company that started its activity at the end of last August. Shortly after she appeared in the landscape of threats, they were located errors to ransomware that allowed the release of a free cryptographer from Tesorion. The ransomware operators quickly fixed the bugs and released a new one version of ransomware called "Ranzy Locker".

ThunderX ransomware: Rename and data leak site works!

Although the hackers changed the name of the ransomware they developed, the strings associated with a PDB debug file on executable ransomware appear to be the same as ThunderX.

MalwareHunterteam has discovered a sample of ransomware that shows some information about how ransomware works. When it starts, Ranzy Locker cleans it first Shadow Volume Copies, so that victims can not use it to recover the encrypted archives. When encrypting files, ransomware uses one Windows API called "Windows Restart Manager", which terminates processes or services that keep a file open and prevent it from being encrypted. For each encrypted file, ransomware adds the new extension .ranzy in the file name. For example, a file with a name 1.doc, is encrypted and renamed to 1.doc.ranzy.

ThunderX ransomware: Rename and data leak site works!

In each traversed folder, ransomware creates a ransom note with the name Readme.txt, which contains information about what happened to data of the victim, a warning that his data was stolen as well as a link that refers the victim to a Tor site, where he can negotiate with the hackers who attacked him. In previous versions of ThunderX ransomware, its operators communicated with their victims through e-mail instead of using a special Tor site.

When a victim visits the Tor payment site, they receive a message that says "Locked by Ranzy Locker" as well as a live chat screen to start negotiations with them. hackers. As part of this "service", ransomware operators allow victims to decrypt three files for free to prove they can do so.

ThunderX ransomware: Rename and data leak site works!

According to BleepingComputer, many ransomware gangs use a double-blackmail attack method, in which they steal unencrypted files from a victim before encrypting devices on a corporate network.

Using this method of attack, hackers push their victims to pay a ransom in two ways: claim that if the victims pay the ransom required, a) their files will be returned to them and b) their data will not be leaked.

It is noteworthy that the Tor onion URL used by the data leak site "Ranzy Leak" is the same as the one previously used by Ako ransomware. Using the same URL as Ako could mean that both gangs merged to form Ranzy Locker, or that they work together similarly to Maze cartel.



Please enter your comment!
Please enter your name here

Every accomplishment starts with the decision to try.


How to create a meeting directly from an email in Outlook

Sometimes a meeting is better than an impersonal email. See how you can create a meeting directly from an email or ...

Remote employees open suspicious emails despite security risks

Remote employees are increasingly endangering corporate data and systems, as they do not follow the security of best practices, according to ...

How can you view older versions of a site?

Wayback Machine is an online service that takes screenshots from sites, allowing its users to see what a site was like ...

The Marriott breach fine was reduced to $ 23,8 million

The fine imposed by the British security observer, at the Marriott hotel unit due to data breach, was reduced by 14,4 million £ ...

How to view changes in a Microsoft PowerPoint presentation

While Microsoft 365 subscribers can collaborate in real time on a PowerPoint presentation, some prefer to work alone ...

iPhone / iPad: How to add bookmarks to multiple tabs in Safari

Safari on iPhone and iPad has a hidden feature that allows you to add bookmarks to all open sites ...

NordPass notifies you if your data has been compromised

NordPass password manager has announced a new update, which will help users find out if their data ...

How to change Screen Saver on Android TV

Android TV may not be as customizable as an Android phone, but there is still plenty you can do to ...

USA: Co-operation needed to tackle online child abuse

The Assistant Attorney General of the United States, Beth Williams, calls on all people to take action and unite for ...

Russian hackers targeted the Democratic parties of California and Indiana

The group of Russian hackers who are accused of interfering in the 2016 presidential elections in the USA, this year are accused of targeting emails ...