Threat Actor Profile
Low Cybercriminal
Description

Ranzy Locker, Former known as ThunderX. The group hosting a data leak site in the darknet where they posting sensitive information of victims who do not pay the ransom. ThunderX was launched at the end of August 2020. Soon after launching, weaknesses were found in the code, that allowed decrypting the files that the malware encrypted. The group has fixed the code and publish a new version, then released it under the name Ranzy Locker. The Tor onion URL used by the Ranzy Leak site is the same as the one used by Ako Ransomware. The use of the same URL could indicate that both groups merged, or they are cooperating similarly to the Maze cartel.

Confidence Score
100%
Tags
ransomware ransomware.live
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'added_date': None,
 'client': '2003264@sit.singaporetech.edu.sg',
 'description': 'Ranzy Locker, Former known as ThunderX. The group hosting a '
                'data leak site in the darknet where they posting sensitive '
                'information of victims who do not pay the ransom. ThunderX '
                'was launched at the end of August 2020. Soon after launching, '
                'weaknesses were found in the code, that allowed decrypting '
                'the files that the malware encrypted. The group has fixed the '
                'code and publish a new version, then released it under the '
                'name Ranzy Locker. The Tor onion URL used by the Ranzy Leak '
                'site is the same as the one used by Ako Ransomware. The use '
                'of the same URL could indicate that both groups merged, or '
                'they are cooperating similarly to the Maze cartel.\n',
 'firstseen': None,
 'group': 'ranzy',
 'has_negotiations': True,
 'has_ransomnote': True,
 'lastseen': None,
 'locations': [{'available': False,
                'fqdn': '37rckgo66iydpvgpwve7b2el5q2zhjw4tv4lmyewufnpx4lhkekxkoqd.onion',
                'slug': 'http://37rckgo66iydpvgpwve7b2el5q2zhjw4tv4lmyewufnpx4lhkekxkoqd.onion',
                'title': '',
                'type': 'DLS'}],
 'negotiation_count': 2,
 'ransomnotes_count': 1,
 'tiaras_metadata': {'has_negotiations': True,
                     'has_ransomnote': True,
                     'locations': [{'available': False,
                                    'fqdn': '37rckgo66iydpvgpwve7b2el5q2zhjw4tv4lmyewufnpx4lhkekxkoqd.onion',
                                    'slug': 'http://37rckgo66iydpvgpwve7b2el5q2zhjw4tv4lmyewufnpx4lhkekxkoqd.onion',
                                    'title': '',
                                    'type': 'DLS'}],
                     'negotiation_count': 2,
                     'ransomnotes_count': 1,
                     'ransomware_live_group': 'ranzy',
                     'tools': {'CredentialTheft': [],
                               'DefenseEvasion': [],
                               'DiscoveryEnum': [],
                               'Exfiltration': ['UFile'],
                               'LOLBAS': [],
                               'Networking': [],
                               'Offsec': [],
                               'RMM-Tools': []},
                     'url': 'https://www.ransomware.live/group/ranzy',
                     'victims': 0,
                     'vulnerabilities': []},
 'tiaras_source': 'ransomware.live',
 'tools': {'CredentialTheft': [],
           'DefenseEvasion': [],
           'DiscoveryEnum': [],
           'Exfiltration': ['UFile'],
           'LOLBAS': [],
           'Networking': [],
           'Offsec': [],
           'RMM-Tools': []},
 'ttps': [],
 'url': 'https://www.ransomware.live/group/ranzy',
 'victims': 0,
 'vulnerabilities': []}
Quick Actions
Back to Threat Actors
Dashboard Home