skip to Main Content

Cybercrime, ThunderX has been beaten by Tesorion

ThunderX has been beatnen by Tesorion. The cyber security experts built and spread a free drecryptor through the NoMoreRansom project

ThunderX ransomware has been beaten. Tesorion cyber security experts built a decryptor and provided for free through the NoMoreRansom project. The cybercrime malware starts by checking or creating a Mutex to prevent multiple instances running in parallel. Then it checks for an attached debugger, and skips the remainder of its functionality if one is found. If no debugger was found, some encrypted strings are loaded from the resources and decrypted. These contain among other things lists of processes and services that are then terminated if found running. Subsequently some commands are executed to delete shadow copies and make some modifications to the boot configuration. After all this is done, the actual encryption commences by initializing the cryptography, generating the ransom note and finally starting separate threads for each drive and network share to find files to encrypt.

The cybercrime malware has some peculiarities, including the capability to destroy some data irreversibly on purpose

According cyber security experts, ThunderX has some peculiarity. First of all, the ransomware can overwrite specific files with zeroes, instead of encrypting them. This means the malware contains functionality to destroy some data irreversibly on purpose. The embedded configuration in the resources contains the target filenames for this destructive overwriting. Then, cybercrime put some obfuscation to thwart analysis. A number of strings have been hex-encoded in the binary, to make them less obvious. This is for example the case for the command lines that are used to remove shadow copies. Some other strings are stored in the resources with a simple single byte XOR encryption, for example the ransom note template and the lists of processes and services to terminate.

Back To Top