Thundercrypt

Threat Actor updated a month ago (2024-11-29T14:05:48.679Z)
Download STIX
Preview STIX
ThunderCrypt is a threat actor that first emerged on April 20, 2017, with the introduction of its earliest version of ransomware. This initial version did not utilize the EternalBlue exploit. The cybersecurity community became aware of ThunderCrypt through an analysis of related malware, leading to the discovery of this new ransomware variant. Telemetry data shows the first detection of ThunderCrypt on April 23, 2017, just three days after its initial appearance. In the following month, there was a significant spike in activity, indicating a rapid escalation in the deployment of this ransomware. The ThunderCrypt ransomware has exhibited functionalities and modules strikingly similar to another known malware, StripedFly. Moreover, researchers have identified links between ThunderCrypt and another ransomware variant using the same Command and Control (C2) server at "ghtyqipha6mcwxiz[.]onion:1111". This suggests that ThunderCrypt might be part of a larger network of malicious actors or could be reusing infrastructure from other campaigns, further complicating attribution efforts. Despite the apparent commercial motive behind ThunderCrypt's activities, questions remain about the group's true intentions. The use of ransomware typically suggests a financial goal, but the choice of ThunderCrypt to not pursue potentially more lucrative paths raises doubts about their ultimate objectives. Further investigation and monitoring of this threat actor are required to understand their strategy fully and mitigate potential risks.
Description last updated: 2024-05-04T19:37:30.242Z
What's your take? (Question 1 of 1)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Stripedfly is a possible alias for Thundercrypt. StripedFly is a malicious threat actor that has been active since at least April 9, 2016, as indicated by the earliest known version of StripedFly incorporating the EternalBlue exploit. The authors behind StripedFly show parallels with the EternalBlue exploit, which is notorious for its use in wides
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.