Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

Razr

115
Global rank
105 infographic chevron month
Month rank
135
Week rank
0
IOCs

Razr is a destructive ransomware that infiltrates systems to encrypt files, rendering them inaccessible to users. It appends the ".razr" extension to the encrypted files and drops a ransom note, typically named "README.txt," instructing victims on how to pay the ransom to obtain the decryption key. The malware often spreads through phishing emails with malicious attachments or by exploiting vulnerabilities in software and operating systems. Razr employs strong encryption algorithms, making it challenging to decrypt files without the attackers' key.

Ransomware
Type
Unknown
Origin
1 August, 2024
First seen
24 February, 2025
Last seen

How to analyze Razr with ANY.RUN

Type
Unknown
Origin
1 August, 2024
First seen
24 February, 2025
Last seen

IOCs

Last Seen at

Recent blog posts

post image
New Pre-Installed Dev Tools for Deep Sandbox...
watchers 290
comments 0
post image
AI Safety: Key Threats and Solutions 
watchers 383
comments 0
post image
5 Common Evasion Techniques in Malware 
watchers 551
comments 0

What is Razr ransomware?

Razr ransomware is a recent and sophisticated strain of ransomware that surfaced in 2024, targeting systems by encrypting essential files and demanding ransom payments from victims.

The malware has made headlines due to its unique use of cloud-based platforms, like PythonAnywhere, as part of its distribution strategy, leveraging these services to host malicious files and bypass security defenses.

Known for appending the ".raz" extension to locked files, Razr delivers a ransom note typically titled “README.txt” with instructions for payment.

Razr ransom note in ANY.RUN sandbox Ransom note displayed inside ANY.RUN sandbox

This behavior and ransom note can be easily seen inside ANY.RUN’s interactive sandbox following analysis session: View analysis session

Razr’s rapid spread and its use of AES-256 encryption make it difficult for victims to regain access without paying the ransom, placing it among the newer threats that exploit trusted platforms for distribution.

Razr ransomware technical details

The primary functionality of Razr is to exfiltrate sensitive data from infected systems. Its key features include:

  • Uses AES-256 encryption to securely lock files on the infected system.
  • Collects and transmits sensitive data from the infected device to a command-and-control (C2) server, giving attackers access to valuable information.
  • Employs various techniques to conceal its code and activities, including hiding in legitimate processes and encoding its payloads.
  • Maintains communication with a remote C2 server, allowing attackers to manage the malware, send commands, and retrieve exfiltrated data remotely.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Razr ransomware execution process

To see how Razr ransomware operates, let’s upload its sample to the ANY.RUN sandbox.

Razr ransomware typically gains access to systems through several attack vectors. Common methods include malicious email attachments or links that trick users into executing the ransomware, as well as attackers exploiting known software or operating system vulnerabilities to infiltrate networks. In some cases, compromised credentials enable attackers to access systems directly. Once inside, the ransomware establishes a foothold on the infected system.

After gaining access, Razr executes its payload by dropping and running a malicious binary that initiates the encryption process. It scans the system for valuable files, including documents, images, and databases, prioritizing those critical for operations. Razr may also exploit vulnerabilities to spread across the network, targeting other connected devices and servers.

Razr graph in ANY.RUN sandbox Process graph of Razr ransomware inside ANY.RUN sandbox

Razr's core functionality is file encryption, using the AES-256 algorithm in CBC mode. The ransomware is engineered to avoid encrypting system-critical files to ensure the operating system remains functional, thereby prolonging the attack’s effectiveness.

Once encryption is complete, Razr presents its ransom demand. Typically, it changes the desktop background or creates text files in each encrypted directory with instructions for paying the ransom.

Razr sandbox in ANY.RUN sandbox Ransom note displayed inside sandbox

The ransom is generally requested in cryptocurrency, which makes transactions difficult to trace. Victims are often given a limited time frame, such as 24 to 48 hours, to pay before facing permanent data loss.

Some ransomware variants also threaten to leak sensitive data if the ransom is unpaid, increasing pressure on victims to comply. Without backups—or if backups are also encrypted—victims face significant challenges in recovering their data without paying the ransom.

Razr ransomware distribution methods

Razr ransomware employs several distribution methods to infiltrate target systems:

  • Phishing emails with malicious attachments or links: Attackers send emails containing harmful attachments or links that, when opened, download the Razr payload.
  • Exploitation of Cloud platforms: Razr has been observed leveraging legitimate cloud services, such as PythonAnywhere, to host and distribute its malicious files, thereby evading detection by security systems.
  • Drive-by downloads: Users visiting compromised or malicious websites may inadvertently download and execute the Razr ransomware without any direct interaction.

Gathering Threat Intelligence on Razr Ransomware

To gather the latest intelligence on Razr ransomware, use the Threat Intelligence Lookup feature in ANY.RUN.

This service provides access to a comprehensive database with insights from millions of malware analysis sessions conducted in the ANY.RUN sandbox. With over 40 customizable search filters, users can locate data on threats like IPs, domains, file names, and process artifacts tied to Razr.

Razr TI Lookup results in ANY.RUN sandbox Search results for Razr in Threat Intelligence Lookup

For instance, to collect information on Razr, you can search for its threat name or a related artifact. Entering a query such as threatName:"Razr" AND domainName:"" will generate a list of files, events, domain names, and other data extracted from Lumma samples along with sandbox sessions that you can explore in detail to gain comprehensive insights into this malware’s behavior.

Try a 14-day free trial of Threat Intelligence Lookup with the ANY.RUN sandbox for hands-on intelligence gathering.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Conclusion

Razr ransomware is dangerous due to its strong encryption, cloud-based delivery, and ability to evade detection. Using tools like ANY.RUN is essential for proactively analyzing suspicious files and URLs, enabling early detection.

ANY.RUN offers real-time threat analysis in a sandboxed environment, providing insights into malware behavior visual tracking and other advanced features.

Sign up for a free ANY.RUN account today and start analyzing emerging threats with no limits!

HAVE A LOOK AT

Backdoor screenshot
Backdoor
backdoor
A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.
Read More
zgRAT screenshot
zgRAT
zgrat
zgRAT is a malware known for its ability to infect systems and exfiltrate sensitive data to command-and-control (C2) servers. It is primarily distributed through loader malware, as well as phishing emails. zgRAT employs various advanced techniques, including process injection and code obfuscation, to evade detection and maintain persistence on infected systems. The malware can also spread via USB drives and uses popular messaging platforms like Telegram and Discord for data exfiltration.
Read More
DarkTortilla screenshot
DarkTortilla
darktortilla
DarkTortilla is a crypter used by attackers to spread harmful software. It can modify system files to stay hidden and active. DarkTortilla is a multi-stage crypter that relies on several components to operate. It is often distributed through phishing sites that look like real services.
Read More