{
	"id": "8140a488-af74-40bc-a822-6ee8ee0e1ae5",
	"created_at": "2026-04-06T00:11:26.685212Z",
	"updated_at": "2026-04-10T03:22:12.12509Z",
	"deleted_at": null,
	"sha1_hash": "2a877087d48f5dbf1950feac2444d201b9f3be4f",
	"title": "Ranzy Ransomware | Better Encryption Among New Features of ThunderX Derivative - SentinelLabs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2392523,
	"plain_text": "Ranzy Ransomware | Better Encryption Among New Features of\r\nThunderX Derivative - SentinelLabs\r\nBy Jim Walter\r\nPublished: 2020-11-18 · Archived: 2026-04-05 17:57:57 UTC\r\nBackground\r\nRanzy ransomware emerged in September/October this year, and appears to be an evolution of ThunderX and, to a\r\nlesser extent, Ako ransomware. Ranzy shares many features and under-the-hood elements with its predecessors.\r\nHowever there have been a few key updates, including tweaks to encryption, methods of exfiltration, and the (now\r\ncommonplace) use of a public “leak blog” to post victim data for those who do not comply with the ransom\r\ndemand.\r\nEvolution of Ranzy Ransomware\r\nAt its heart, Ranzy is a RaaS (Ransomware as a Service) offering. Payloads are typically distributed via email\r\n(phishing), although there are some reports of delivery via the web (drive-by downloads). The “rebrand” from\r\nThunderX to Ranzy occurred after free-decryption programs for ThunderX started to appear. A free decryption\r\ntool for ThunderX was posted to the NoMoreRansom project in September of this year.\r\nThis ‘rebrand’ distances the actors from ThunderX as well as improves upon the encryption mechanism so as to\r\nreduce the feasibility of future, free, decryption tools. With ThunderX emerging around August 2020, it would\r\nseem as though the lifecycle of this particular family has been rather short throughout its evolution. Note that\r\nsome early samples of Ako were observed around January 2020.\r\nAs we observed with Ako and ThunderX, the primary delivery method observed is email (phish) with the\r\nmalicious payload attached. Current samples (Ranzy Locker 1.1) append a .ranzy extension to encrypted files\r\n(with early versions using just .RNZ ). Also of note, current Ranzy Locker payloads tend to include the same PDB\r\npatch as their ThunderX ancestors:\r\nC:UsersGh0StDesktopThunderXReleaseLockerStub.pdb\r\nhttps://labs.sentinelone.com/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/\r\nPage 1 of 7\n\nImproved Encryption Routines\r\nRanzy uses a combination of encryption algorithms to affect targeted data. An embedded RSA-2048 key is built\r\ninto the ransomware payloads, with Salsa20 being utilized for specific file/data encryption. Ranzy contains\r\nfunctionality to locate and encrypt additional local drives ( GetLogicalDrives ), as well as adjacent (and\r\naccessible) network drives ( NetShareEnum ).\r\nRanzy, like ThunderX and Ako, will attempt to encrypt multiple file types by extension while excluding specific\r\nextensions and/or paths based on strings. Files that do not contain the .dll , .exe , .ini , .lnk , .key ,\r\n.rdp are subject for inclusion. The ransomware will also exclude specific critical paths with strings including\r\nAppData, boot, PerfLogs, PerfBoot, Intel, Microsoft, Windows and Tor Browser.\r\nhttps://labs.sentinelone.com/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/\r\nPage 2 of 7\n\nOnce launched, Ranzy payloads take a number of steps in order to both ensure maximum impact (encryption) as\r\nwell as inhibiting standard recovery options where possible. Specific commands, and syntax, can vary across\r\nWindows versions and flavors. This includes the use of standard system tools to manipulate VSS and boot time\r\nrecovery options.\r\nAfter execution, the ransomware will swiftly call WMIC.EXE with the following syntax:\r\nwmic.exe SHADOWCOPY /nointeractive\r\nThe following WBADMIN, BCDEDIT, and VSSADMIN commands are then issued to shift the victim host to the\r\ndesired, compromised, state:\r\nwbadmin DELETE SYSTEMSTATEBACKUP\r\nwbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest\r\nbcdedit.exe /set {default} recoveryenabled No\r\nbcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\r\nvssadmin.exe Delete Shadows /All /Quiet\r\nRanzy Locker makes use of the Windows ‘Restart Manager’ API to assist in terminating any problematic process\r\nstanding in the way of encryption or further manipulation of target systems. It is not uncommon for explorer.exe\r\nor other running processes to quickly exit and relaunch once Ranzy’s process begins.\r\nhttps://labs.sentinelone.com/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/\r\nPage 3 of 7\n\nBoth Ranzy versions analyzed appear to retain the same multithreading capabilities that first appeared in\r\nThunderX. The payload will first identify the number of processors available via GetSystemInfo() . Following\r\nthis, the ransomware will leverage IoCompletionPort to generate a queue of files which are to be encrypted.\r\nThen, the ransomware is able to allocate a number of threads (equal to 2x the count of processors identified). This\r\nallows for fairly competitive (and therefore dangerous) encryption speeds when compared to the likes of Maze or\r\nNetWalker.\r\nhttps://labs.sentinelone.com/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/\r\nPage 4 of 7\n\nPost Encryption Behavior\r\nRanzy’s ransom notes are deposited into each folder containing affected files/data. Across the analyzed versions,\r\nthese are always identified with the name readme.txt. There are minor variations in the ransom notes across\r\nversions of the ransomware. That being said, the basic structure and content across ThunderX, Ranzy and Ranzy\r\n1.1 are all quite similar.\r\nExamples of the Ranzy and Ranzy 1.1 ransom notes can be seen below.\r\nhttps://labs.sentinelone.com/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/\r\nPage 5 of 7\n\nPerhaps the most significant difference between the ransom notes is with Ranzy 1.1, victims are instructed to\r\naccess a TOR-based portal for payment, further instructions and “support” (live chat). Previous variations simply\r\ninstructed victims to reach out via email for further instructions.\r\nNon-compliant victims are currently being cataloged on the group’s blog, entitled “Ranzy Leak”. As of this\r\nwriting there are 3 victims listed on the site, representing the electrical engineering, security \u0026 investigations, and\r\nGovernment administration industries.\r\nConclusion\r\nhttps://labs.sentinelone.com/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/\r\nPage 6 of 7\n\nThe Ranzy, ThunderX and Ako family is yet another example of how nimble and aggressive these threats and the\r\nactors behind them are becoming. With little to no barrier for entry (beyond a small investment of cash), any\r\nenterprising cybercriminal can gain access to, and manage, ransomware like Ranzy, potentially causing a great\r\ndeal of financial damage. As we know, this damage is not limited to the direct payment of the ransom (which you\r\nshould avoid), but now also includes any penalties associated with data breaches, public posting of private data,\r\nGDPR / compliance fallout, and beyond.\r\nThese threats are very agile, and it is clear that the actors behind them are paying attention to the efforts on the\r\ndefense side. For example, when decryptor utilities are released, they quickly update their code and start\r\ndistributing better and stronger payloads to nullify any workarounds.\r\nIndicators of Compromise\r\nSHA256\r\nc4f72b292750e9332b1f1b9761d5aefc07301bc15edf31adeaf2e608000ec1c9\r\n393fd0768b24cd76ca653af3eba9bff93c6740a2669b30cf59f8a064c46437a2\r\n90691a36d1556ba7a77d0216f730d6cd9a9063e71626489094313c0afe85a939\r\nbbf122cce1176b041648c4e772b230ec49ed11396270f54ad2c5956113caf7b7\r\nade5d0fe2679fb8af652e14c40e099e0c1aaea950c25165cebb1550e33579a79\r\nSHA1\r\n43ccf398999f70b613e1353cfb6845ee09b393ca\r\n35a663c2ce68e48f1a6bcb71dc92a86b36d4c497\r\n38b86dacb1568af968365663c548bd9556fe0849\r\n20102532dfc58bc8256f507da4a177850f349f7a\r\n9a77e2f8bf0da35f7d84897c187e3aff322f024d\r\nMITRE ATT\u0026CK\r\nIndicator Removal on Host: File Deletion T1070.004\r\nModify Registry T1112\r\nQuery Registry T1012\r\nSystem Information Discovery T1082\r\nPeripheral Device Discovery T1120\r\nInhibit System Recovery T1490\r\nCreate or Modify System Process: Windows Service T1031\r\nExfiltration TA0010\r\nSource: https://labs.sentinelone.com/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/\r\nhttps://labs.sentinelone.com/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://labs.sentinelone.com/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/"
	],
	"report_names": [
		"ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative"
	],
	"threat_actors": [],
	"ts_created_at": 1775434286,
	"ts_updated_at": 1775791332,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2a877087d48f5dbf1950feac2444d201b9f3be4f.pdf",
		"text": "https://archive.orkl.eu/2a877087d48f5dbf1950feac2444d201b9f3be4f.txt",
		"img": "https://archive.orkl.eu/2a877087d48f5dbf1950feac2444d201b9f3be4f.jpg"
	}
}