fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

ThunderX Ransomware Rebrands As Ranzy Locker, Adds Data Leak Site

ThunderX Ransomware Rebrands As Ranzy Locker, Adds Data Leak Site

ThunderX has changed its name to Ranzy Locker and launched a data leak site where they shame victims who do not pay the ransom.

ThunderX is a ransomware operation that was launched at the end of August 2020. Soon after launching, weaknesses were found in the ransomware that allowed a free decryptor to be released by Tesorion.

The ransomware operators quickly fixed their bugs and released a new version of the ransomware under Ranzy Locker name.

While the name has changed, strings associated with a PDB debug file in the ransomware executables still show it is the same as ThunderX.

C:\Users\Gh0St\Desktop\ThunderX\Release\LockerStub.pdb

BleepingComputer’s theory is that they rebranded to start with a clean slate and avoid the stigma of being associated with the previously released decryptor.

Meet the Ranzy Locker ransomware

Using a sample of the ransomware found by MalwareHunterteam and shared with BleepingComputer, we can get a deeper dive into how the ransomware operates.

When launched, Ranzy Locker will first clear Shadow Volume Copies so that victims can’t use it to recover encrypted files.

vssadmin.exe Delete Shadows /All /Quiet;

When encrypting files, the ransomware will use a Windows API called the ‘Windows Restart Manager‘ that will terminate processes or Windows services that keep a file open and prevent it from being encrypted.

Windows Restart Manager
Windows Restart Manager

For each encrypted file, the ransomware appends the new .ranzy extension to the file’s name. For example, a file named 1.doc would be encrypted and renamed to 1.doc.ranzy.

Also Read: 6 Simple Guides On PDPA Clause For Agreements Of Personal Data

Ranzy Locker encrypted files
Ranzy Locker encrypted files

In each traversed folder, the ransomware will create a ransom note named ‘readme.txt‘ that includes information about what happened to a victim’s data, a warning that their data was stolen, and a link to a Tor site where the victim can negotiate with the threat actors.

It should be noted that in previous versions of ThunderX, the ransomware operators communicated with victims via email rather than using a dedicated Tor site.

Ranzy Locker ransom note
Ranzy Locker ransom note

When a victim visits the Tor payment site, they will be greeted with a ‘Locked by Ranzy Locker’ message and be shown a live chat screen to negotiate with the threat actors.  As part of this ‘service,’ the ransomware operators allow victims to decrypt three files for free to prove that they can do so.

Ranzy Locker Tor payment site
Ranzy Locker Tor payment site

Also Read: MAS Technology Risk Management Guidelines

Ranzy Locker launches a data leak site

Many ransomware gangs utilize a double-extortion attack method, which is to steal unencrypted files from a victim before they encrypt the devices on the corporate network.

This attack method provides the threat actors two ways to leverage the victim into paying a ransomware — pay to get their files back and not have their data publicly leaked.

This week, the Ranzy Locker gang released a data leak site called ‘Ranzy Leak’ to leak the data of victims who do not pay.

Ranzy leak site

This web site currently includes one victim who develops power control solutions.

An item of interest is that the Tor onion URL used by the Ranzy Leak site is the same as the one previously used by Ako Ransomware.

The use of Ako’s URL could indicate that both groups merged to form Ranzy Locker, or they are cooperating similarly as the Maze cartel.

Update 10/16/20: The Ako ransomware operators contacted us and stated ThunderX is part of their operation and that they have rebranded to Ranzy Locker.

“Because we update our original ransomware and its little rebranding. 

ThunderX is test version our update, but some US kids share this build on virustotal — oops.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us