{
	"id": "d0fcb15f-8916-438c-ae2a-9fda92568527",
	"created_at": "2026-04-10T03:20:43.115699Z",
	"updated_at": "2026-04-10T13:11:29.538492Z",
	"deleted_at": null,
	"sha1_hash": "49c4ddcee33268053a9dd1f6ab307e1b8bd78264",
	"title": "ThunderX Ransomware rebrands as Ranzy Locker, adds data leak site",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4694221,
	"plain_text": "ThunderX Ransomware rebrands as Ranzy Locker, adds data leak\r\nsite\r\nBy Lawrence Abrams\r\nPublished: 2020-10-16 · Archived: 2026-04-10 02:52:35 UTC\r\nThunderX has changed its name to Ranzy Locker and launched a data leak site where they shame victims who do\r\nnot pay the ransom.\r\nThunderX is a ransomware operation that was launched at the end of August 2020. Soon after launching,\r\nweaknesses were found in the ransomware that allowed a free decryptor to be released by Tesorion.\r\nThe ransomware operators quickly fixed their bugs and released a new version of the ransomware under Ranzy\r\nLocker name.\r\nWhile the name has changed, strings associated with a PDB debug file in the ransomware executables still show it\r\nis the same as ThunderX.\r\nhttps://www.bleepingcomputer.com/news/security/thunderx-ransomware-rebrands-as-ranzy-locker-adds-data-leak-site/\r\nPage 1 of 7\n\nC:\\Users\\Gh0St\\Desktop\\ThunderX\\Release\\LockerStub.pdb\r\nBleepingComputer's theory is that they rebranded to start with a clean slate and avoid the stigma of being\r\nassociated with the previously released decryptor.\r\nMeet the Ranzy Locker ransomware\r\nUsing a sample of the ransomware found by MalwareHunterteam and shared with BleepingComputer, we can get\r\na deeper dive into how the ransomware operates.\r\nWhen launched, Ranzy Locker will first clear Shadow Volume Copies so that victims can't use it to recover\r\nencrypted files.\r\nvssadmin.exe Delete Shadows /All /Quiet;\r\nWhen encrypting files, the ransomware will use a Windows API called the 'Windows Restart Manager' that will\r\nterminate processes or Windows services that keep a file open and prevent it from being encrypted.\r\nWindows Restart Manager\r\nFor each encrypted file, the ransomware appends the new .ranzy extension to the file's name. For example, a file\r\nnamed 1.doc would be encrypted and renamed to 1.doc.ranzy.\r\nhttps://www.bleepingcomputer.com/news/security/thunderx-ransomware-rebrands-as-ranzy-locker-adds-data-leak-site/\r\nPage 2 of 7\n\nRanzy Locker encrypted files\r\nIn each traversed folder, the ransomware will create a ransom note named 'readme.txt' that includes information\r\nabout what happened to a victim's data, a warning that their data was stolen, and a link to a Tor site where the\r\nvictim can negotiate with the threat actors.\r\nIt should be noted that in previous versions of ThunderX, the ransomware operators communicated with victims\r\nvia email rather than using a dedicated Tor site.\r\nhttps://www.bleepingcomputer.com/news/security/thunderx-ransomware-rebrands-as-ranzy-locker-adds-data-leak-site/\r\nPage 3 of 7\n\nRanzy Locker ransom note\r\nWhen a victim visits the Tor payment site, they will be greeted with a 'Locked by Ranzy Locker' message and be\r\nshown a live chat screen to negotiate with the threat actors.  As part of this 'service,' the ransomware operators\r\nallow victims to decrypt three files for free to prove that they can do so.\r\nhttps://www.bleepingcomputer.com/news/security/thunderx-ransomware-rebrands-as-ranzy-locker-adds-data-leak-site/\r\nPage 4 of 7\n\nRanzy Locker Tor payment site\r\nRanzy Locker launches a data leak site\r\nMany ransomware gangs utilize a double-extortion attack method, which is to steal unencrypted files from a\r\nvictim before they encrypt the devices on the corporate network.\r\nThis attack method provides the threat actors two ways to leverage the victim into paying a ransomware -- pay to\r\nget their files back and not have their data publicly leaked.\r\nThis week, the Ranzy Locker gang released a data leak site called 'Ranzy Leak' to leak the data of victims who do\r\nnot pay.\r\nhttps://www.bleepingcomputer.com/news/security/thunderx-ransomware-rebrands-as-ranzy-locker-adds-data-leak-site/\r\nPage 5 of 7\n\nThis web site currently includes one victim who develops power control solutions.\r\nAn item of interest is that the Tor onion URL used by the Ranzy Leak site is the same as the one previously used\r\nby Ako Ransomware.\r\nThe use of Ako's URL could indicate that both groups merged to form Ranzy Locker, or they are cooperating\r\nsimilarly as the Maze cartel.\r\nUpdate 10/16/20: The Ako ransomware operators contacted us and stated ThunderX is part of their operation and\r\nthat they have rebranded to Ranzy Locker.\r\n\"Because we update our original ransomware and its little rebranding. \r\nThunderX is test version our update, but some US kids share this build on virustotal — oops.\"\r\nhttps://www.bleepingcomputer.com/news/security/thunderx-ransomware-rebrands-as-ranzy-locker-adds-data-leak-site/\r\nPage 6 of 7\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one\r\nwithout the other.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three\r\ndiagnostic questions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/thunderx-ransomware-rebrands-as-ranzy-locker-adds-data-leak-site/\r\nhttps://www.bleepingcomputer.com/news/security/thunderx-ransomware-rebrands-as-ranzy-locker-adds-data-leak-site/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/thunderx-ransomware-rebrands-as-ranzy-locker-adds-data-leak-site/"
	],
	"report_names": [
		"thunderx-ransomware-rebrands-as-ranzy-locker-adds-data-leak-site"
	],
	"threat_actors": [],
	"ts_created_at": 1775791243,
	"ts_updated_at": 1775826689,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/49c4ddcee33268053a9dd1f6ab307e1b8bd78264.pdf",
		"text": "https://archive.orkl.eu/49c4ddcee33268053a9dd1f6ab307e1b8bd78264.txt",
		"img": "https://archive.orkl.eu/49c4ddcee33268053a9dd1f6ab307e1b8bd78264.jpg"
	}
}