Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

Razr

109
Global rank
92 infographic chevron month
Month rank
84 infographic chevron week
Week rank
0
IOCs

Razr is a destructive ransomware that infiltrates systems to encrypt files, rendering them inaccessible to users. It appends the ".razr" extension to the encrypted files and drops a ransom note, typically named "README.txt," instructing victims on how to pay the ransom to obtain the decryption key. The malware often spreads through phishing emails with malicious attachments or by exploiting vulnerabilities in software and operating systems. Razr employs strong encryption algorithms, making it challenging to decrypt files without the attackers' key.

Ransomware
Type
Unknown
Origin
1 August, 2024
First seen
25 December, 2024
Last seen

How to analyze Razr with ANY.RUN

Type
Unknown
Origin
1 August, 2024
First seen
25 December, 2024
Last seen

IOCs

Last Seen at

Recent blog posts

post image
Malware Trends Report: Q4, 2024 
watchers 234
comments 0
post image
Integrate ANY.RUN Threat Intelligence Feeds w...
watchers 2099
comments 0
post image
2024 Wrapped: A Year of Growth, Innovation, a...
watchers 157
comments 0

What is Razr ransomware?

Razr ransomware is a recent and sophisticated strain of ransomware that surfaced in 2024, targeting systems by encrypting essential files and demanding ransom payments from victims.

The malware has made headlines due to its unique use of cloud-based platforms, like PythonAnywhere, as part of its distribution strategy, leveraging these services to host malicious files and bypass security defenses.

Known for appending the ".raz" extension to locked files, Razr delivers a ransom note typically titled “README.txt” with instructions for payment.

Razr ransom note in ANY.RUN sandbox Ransom note displayed inside ANY.RUN sandbox

This behavior and ransom note can be easily seen inside ANY.RUN’s interactive sandbox following analysis session: View analysis session

Razr’s rapid spread and its use of AES-256 encryption make it difficult for victims to regain access without paying the ransom, placing it among the newer threats that exploit trusted platforms for distribution.

Razr ransomware technical details

The primary functionality of Razr is to exfiltrate sensitive data from infected systems. Its key features include:

  • Uses AES-256 encryption to securely lock files on the infected system.
  • Collects and transmits sensitive data from the infected device to a command-and-control (C2) server, giving attackers access to valuable information.
  • Employs various techniques to conceal its code and activities, including hiding in legitimate processes and encoding its payloads.
  • Maintains communication with a remote C2 server, allowing attackers to manage the malware, send commands, and retrieve exfiltrated data remotely.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Razr ransomware execution process

To see how Razr ransomware operates, let’s upload its sample to the ANY.RUN sandbox.

Razr ransomware typically gains access to systems through several attack vectors. Common methods include malicious email attachments or links that trick users into executing the ransomware, as well as attackers exploiting known software or operating system vulnerabilities to infiltrate networks. In some cases, compromised credentials enable attackers to access systems directly. Once inside, the ransomware establishes a foothold on the infected system.

After gaining access, Razr executes its payload by dropping and running a malicious binary that initiates the encryption process. It scans the system for valuable files, including documents, images, and databases, prioritizing those critical for operations. Razr may also exploit vulnerabilities to spread across the network, targeting other connected devices and servers.

Razr graph in ANY.RUN sandbox Process graph of Razr ransomware inside ANY.RUN sandbox

Razr's core functionality is file encryption, using the AES-256 algorithm in CBC mode. The ransomware is engineered to avoid encrypting system-critical files to ensure the operating system remains functional, thereby prolonging the attack’s effectiveness.

Once encryption is complete, Razr presents its ransom demand. Typically, it changes the desktop background or creates text files in each encrypted directory with instructions for paying the ransom.

Razr sandbox in ANY.RUN sandbox Ransom note displayed inside sandbox

The ransom is generally requested in cryptocurrency, which makes transactions difficult to trace. Victims are often given a limited time frame, such as 24 to 48 hours, to pay before facing permanent data loss.

Some ransomware variants also threaten to leak sensitive data if the ransom is unpaid, increasing pressure on victims to comply. Without backups—or if backups are also encrypted—victims face significant challenges in recovering their data without paying the ransom.

Razr ransomware distribution methods

Razr ransomware employs several distribution methods to infiltrate target systems:

  • Phishing emails with malicious attachments or links: Attackers send emails containing harmful attachments or links that, when opened, download the Razr payload.
  • Exploitation of Cloud platforms: Razr has been observed leveraging legitimate cloud services, such as PythonAnywhere, to host and distribute its malicious files, thereby evading detection by security systems.
  • Drive-by downloads: Users visiting compromised or malicious websites may inadvertently download and execute the Razr ransomware without any direct interaction.

Gathering Threat Intelligence on Razr Ransomware

To gather the latest intelligence on Razr ransomware, use the Threat Intelligence Lookup feature in ANY.RUN.

This service provides access to a comprehensive database with insights from millions of malware analysis sessions conducted in the ANY.RUN sandbox. With over 40 customizable search filters, users can locate data on threats like IPs, domains, file names, and process artifacts tied to Razr.

Razr TI Lookup results in ANY.RUN sandbox Search results for Razr in Threat Intelligence Lookup

For instance, to collect information on Razr, you can search for its threat name or a related artifact. Entering a query such as threatName:"Razr" AND domainName:"" will generate a list of files, events, domain names, and other data extracted from Lumma samples along with sandbox sessions that you can explore in detail to gain comprehensive insights into this malware’s behavior.

Try a 14-day free trial of Threat Intelligence Lookup with the ANY.RUN sandbox for hands-on intelligence gathering.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Conclusion

Razr ransomware is dangerous due to its strong encryption, cloud-based delivery, and ability to evade detection. Using tools like ANY.RUN is essential for proactively analyzing suspicious files and URLs, enabling early detection.

ANY.RUN offers real-time threat analysis in a sandboxed environment, providing insights into malware behavior visual tracking and other advanced features.

Sign up for a free ANY.RUN account today and start analyzing emerging threats with no limits!

HAVE A LOOK AT

PureCrypter screenshot
PureCrypter
purecrypter
First identified in March 2021, PureCrypter is a .NET-based loader that employs obfuscation techniques, such as SmartAssembly, to evade detection. It has been used to distribute malware families including AgentTesla, RedLine Stealer, and SnakeKeylogger. The malware is typically delivered through phishing campaigns and malicious downloads, often masquerading as legitimate files with extensions like .mp4 or .pdf. PureCrypter utilizes encryption and compression to conceal its payloads and can inject malicious code into legitimate processes to maintain persistence on the infected system.
Read More
LokiBot screenshot
LokiBot
lokibot loader trojan
LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.
Read More
Arechclient2 screenshot
Arechclient2
arechclient2
The Arechclient2 malware is a sophisticated .NET-based Remote Access Trojan (RAT) that collects sensitive information, such as browser credentials, from infected computers. It employs various stealth techniques, including Base64 encoding to obscure its code and the ability to pause activities to evade automated security tools. The malware also can adjust Windows Defender settings and uses code injection to manipulate legitimate processes.
Read More
Remcos screenshot
Remcos
remcos trojan rat stealer
Remcos is a RAT type malware that attackers use to perform actions on infected machines remotely. This malware is extremely actively caped up to date with updates coming out almost every single month.
Read More
Meduza Stealer screenshot
Meduza Stealer is an information-stealing malware primarily targeting Windows systems, designed to harvest sensitive data such as login credentials, browsing histories, cookies, cryptocurrency wallets, and password manager data. It has advanced anti-detection mechanisms, allowing it to evade many antivirus programs. The malware is distributed through various means, including phishing emails and malicious links. It’s marketed on underground forums and Telegram channels.
Read More
Stealc screenshot
Stealc
stealc
Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests.
Read More