Thundercrypt

Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
ThunderCrypt is a threat actor that first emerged on April 20, 2017, with the introduction of its earliest version of ransomware. This initial version did not utilize the EternalBlue exploit. The cybersecurity community became aware of ThunderCrypt through an analysis of related malware, leading to the discovery of this new ransomware variant. Telemetry data shows the first detection of ThunderCrypt on April 23, 2017, just three days after its initial appearance. In the following month, there was a significant spike in activity, indicating a rapid escalation in the deployment of this ransomware. The ThunderCrypt ransomware has exhibited functionalities and modules strikingly similar to another known malware, StripedFly. Moreover, researchers have identified links between ThunderCrypt and another ransomware variant using the same Command and Control (C2) server at "ghtyqipha6mcwxiz[.]onion:1111". This suggests that ThunderCrypt might be part of a larger network of malicious actors or could be reusing infrastructure from other campaigns, further complicating attribution efforts. Despite the apparent commercial motive behind ThunderCrypt's activities, questions remain about the group's true intentions. The use of ransomware typically suggests a financial goal, but the choice of ThunderCrypt to not pursue potentially more lucrative paths raises doubts about their ultimate objectives. Further investigation and monitoring of this threat actor are required to understand their strategy fully and mitigate potential risks.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Stripedfly
2
StripedFly is a malicious threat actor that has been active since at least April 9, 2016, as indicated by the earliest known version of StripedFly incorporating the EternalBlue exploit. The authors behind StripedFly show parallels with the EternalBlue exploit, which is notorious for its use in wides
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Kaspersky
Malware
Exploit
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
EternalblueUnspecified
1
EternalBlue is a significant software vulnerability that exists in the design or implementation of certain systems. This flaw has been exploited by various cyber threats, with one notable instance being its use as an enabler for the widespread WannaCry ransomware attack. The exploit allows attackers
Source Document References
Information about the Thundercrypt Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
9 months ago
StripedFly, a complex malware that infected one million devices without being noticed
CERT-EU
9 months ago
StripedFly malware framework infects 1 million Windows, Linux hosts
CERT-EU
9 months ago
StripedFly: Perennially flying under the radar
CERT-EU
9 months ago
StripedFly: Perennially flying under the radar – GIXtools
CERT-EU
9 months ago
More Than a Cryptominer, StripedFly Malware Infects 1 Million PCs
CERT-EU
9 months ago
Kaspersky reveals 'elegant' malware resembling NSA code
CERT-EU
9 months ago
Lorenz ransomware embroiled in its own two-year data leak
CERT-EU
9 months ago
Advanced ‘StripedFly’ Malware With 1 Million Infections Shows Similarities to NSA-Linked Tools
DARKReading
9 months ago
Complex Spy Platform StripedFly Bites 1M Victims
CERT-EU
9 months ago
Lorenz ransomware embroiled in its own two-year data leak
CERT-EU
8 months ago
StripedFly Malware Operated Unnoticed for 5 Years, Infecting 1 Million Devices
CERT-EU
9 months ago
Widespread StripedFly malware framework compromise reported in Windows, Linux systems
CERT-EU
8 months ago
StripedFly Malware's Covert Cryptocurrency Mining Operation