Thundercrypt

ThunderCrypt is a threat actor that first emerged on April 20, 2017, with the introduction of its earliest version of ransomware. This initial version did not utilize the EternalBlue exploit. The cybersecurity community became aware of ThunderCrypt through an analysis of related malware, leading to the discovery of this new ransomware variant. Telemetry data shows the first detection of ThunderCrypt on April 23, 2017, just three days after its initial appearance. In the following month, there was a significant spike in activity, indicating a rapid escalation in the deployment of this ransomware. The ThunderCrypt ransomware has exhibited functionalities and modules strikingly similar to another known malware, StripedFly. Moreover, researchers have identified links between ThunderCrypt and another ransomware variant using the same Command and Control (C2) server at "ghtyqipha6mcwxiz[.]onion:1111". This suggests that ThunderCrypt might be part of a larger network of malicious actors or could be reusing infrastructure from other campaigns, further complicating attribution efforts. Despite the apparent commercial motive behind ThunderCrypt's activities, questions remain about the group's true intentions. The use of ransomware typically suggests a financial goal, but the choice of ThunderCrypt to not pursue potentially more lucrative paths raises doubts about their ultimate objectives. Further investigation and monitoring of this threat actor are required to understand their strategy fully and mitigate potential risks.