Ranzy ransomware emerged in September/October this year, and appears to be an evolution of ThunderX and, to a lesser extent, Ako ransomware. Ranzy shares many features and under-the-hood elements with its predecessors.
However there have been a few key updates, including tweaks to encryption, methods of exfiltration, and the (now commonplace) use of a public “leak blog” to post victim data for those who do not comply with the ransom demand.
Reference: https://labs.sentinelone.com/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/
Malware Families: Ranzy Ransomware , ThunderX Ransomware
Att&ck IDs:
- T1027 – Obfuscated Files or Information
- T1090 – Proxy
- T1566 – Phishing
- T1012 – Query Registry
- T1031 – Modify Existing Service
- T1082 – System Information Discovery
- T1112 – Modify Registry
- T1120 – Peripheral Device Discovery
- T1490 – Inhibit System Recovery
- T1070.004 – File Deletion
- T1204.002 – Malicious File
- FileHash-SHA1 38b86dacb1568af968365663c548bd9556fe0849
FileHash-SHA1 35a663c2ce68e48f1a6bcb71dc92a86b36d4c497
FileHash-SHA1 9a77e2f8bf0da35f7d84897c187e3aff322f024d
FileHash-SHA1 43ccf398999f70b613e1353cfb6845ee09b393ca
FileHash-SHA1 20102532dfc58bc8256f507da4a177850f349f7a
- FileHash-MD5 bbf6bbbd644c5f63bb6b3bc5dc9c8b8d
- FileHash-MD5 fb1cb205656a373e1f5e25840fe23c4d
- FileHash-MD5 d43a48dcfbcd0587d79033b4cd20437a
- FileHash-MD5 954479f95ce67fcb855c5b882d68e74b
- FileHash-SHA256 bbf122cce1176b041648c4e772b230ec49ed11396270f54d25956113caf7b7
- FileHash-SHA256 393fd0768b24cd76ca653af3eba9bff93c6740a2669b30cf59f8a064c46437a2
- FileHash-SHA256 ade5d0fe2679fb8af652e14c40e099e0c1aaea950c25165cebb1550e33579a79
- FileHash-SHA256 c4f72b292750e9332b1f1b9761d5aefc07301bc15edf31adeaf2e608000ec1c9
- FileHash-SHA256 90691a36d1556ba7a77d0216f730d6cd9a9063e71626489094313c0afe85a939