Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

Razr

109
Global rank
96
Month rank
98 infographic chevron week
Week rank
0
IOCs

Razr is a destructive ransomware that infiltrates systems to encrypt files, rendering them inaccessible to users. It appends the ".razr" extension to the encrypted files and drops a ransom note, typically named "README.txt," instructing victims on how to pay the ransom to obtain the decryption key. The malware often spreads through phishing emails with malicious attachments or by exploiting vulnerabilities in software and operating systems. Razr employs strong encryption algorithms, making it challenging to decrypt files without the attackers' key.

Ransomware
Type
Unknown
Origin
1 August, 2024
First seen
15 January, 2025
Last seen

How to analyze Razr with ANY.RUN

Type
Unknown
Origin
1 August, 2024
First seen
15 January, 2025
Last seen

IOCs

Last Seen at

Recent blog posts

post image
Malware Trends Overview Report: 2024
watchers 5010
comments 0
post image
YARA Rules: Cyber Threat Detection Tool for M...
watchers 710
comments 0
post image
Threat Intelligence Pivoting: Actionable Insi...
watchers 577
comments 0

What is Razr ransomware?

Razr ransomware is a recent and sophisticated strain of ransomware that surfaced in 2024, targeting systems by encrypting essential files and demanding ransom payments from victims.

The malware has made headlines due to its unique use of cloud-based platforms, like PythonAnywhere, as part of its distribution strategy, leveraging these services to host malicious files and bypass security defenses.

Known for appending the ".raz" extension to locked files, Razr delivers a ransom note typically titled “README.txt” with instructions for payment.

Razr ransom note in ANY.RUN sandbox Ransom note displayed inside ANY.RUN sandbox

This behavior and ransom note can be easily seen inside ANY.RUN’s interactive sandbox following analysis session: View analysis session

Razr’s rapid spread and its use of AES-256 encryption make it difficult for victims to regain access without paying the ransom, placing it among the newer threats that exploit trusted platforms for distribution.

Razr ransomware technical details

The primary functionality of Razr is to exfiltrate sensitive data from infected systems. Its key features include:

  • Uses AES-256 encryption to securely lock files on the infected system.
  • Collects and transmits sensitive data from the infected device to a command-and-control (C2) server, giving attackers access to valuable information.
  • Employs various techniques to conceal its code and activities, including hiding in legitimate processes and encoding its payloads.
  • Maintains communication with a remote C2 server, allowing attackers to manage the malware, send commands, and retrieve exfiltrated data remotely.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Razr ransomware execution process

To see how Razr ransomware operates, let’s upload its sample to the ANY.RUN sandbox.

Razr ransomware typically gains access to systems through several attack vectors. Common methods include malicious email attachments or links that trick users into executing the ransomware, as well as attackers exploiting known software or operating system vulnerabilities to infiltrate networks. In some cases, compromised credentials enable attackers to access systems directly. Once inside, the ransomware establishes a foothold on the infected system.

After gaining access, Razr executes its payload by dropping and running a malicious binary that initiates the encryption process. It scans the system for valuable files, including documents, images, and databases, prioritizing those critical for operations. Razr may also exploit vulnerabilities to spread across the network, targeting other connected devices and servers.

Razr graph in ANY.RUN sandbox Process graph of Razr ransomware inside ANY.RUN sandbox

Razr's core functionality is file encryption, using the AES-256 algorithm in CBC mode. The ransomware is engineered to avoid encrypting system-critical files to ensure the operating system remains functional, thereby prolonging the attack’s effectiveness.

Once encryption is complete, Razr presents its ransom demand. Typically, it changes the desktop background or creates text files in each encrypted directory with instructions for paying the ransom.

Razr sandbox in ANY.RUN sandbox Ransom note displayed inside sandbox

The ransom is generally requested in cryptocurrency, which makes transactions difficult to trace. Victims are often given a limited time frame, such as 24 to 48 hours, to pay before facing permanent data loss.

Some ransomware variants also threaten to leak sensitive data if the ransom is unpaid, increasing pressure on victims to comply. Without backups—or if backups are also encrypted—victims face significant challenges in recovering their data without paying the ransom.

Razr ransomware distribution methods

Razr ransomware employs several distribution methods to infiltrate target systems:

  • Phishing emails with malicious attachments or links: Attackers send emails containing harmful attachments or links that, when opened, download the Razr payload.
  • Exploitation of Cloud platforms: Razr has been observed leveraging legitimate cloud services, such as PythonAnywhere, to host and distribute its malicious files, thereby evading detection by security systems.
  • Drive-by downloads: Users visiting compromised or malicious websites may inadvertently download and execute the Razr ransomware without any direct interaction.

Gathering Threat Intelligence on Razr Ransomware

To gather the latest intelligence on Razr ransomware, use the Threat Intelligence Lookup feature in ANY.RUN.

This service provides access to a comprehensive database with insights from millions of malware analysis sessions conducted in the ANY.RUN sandbox. With over 40 customizable search filters, users can locate data on threats like IPs, domains, file names, and process artifacts tied to Razr.

Razr TI Lookup results in ANY.RUN sandbox Search results for Razr in Threat Intelligence Lookup

For instance, to collect information on Razr, you can search for its threat name or a related artifact. Entering a query such as threatName:"Razr" AND domainName:"" will generate a list of files, events, domain names, and other data extracted from Lumma samples along with sandbox sessions that you can explore in detail to gain comprehensive insights into this malware’s behavior.

Try a 14-day free trial of Threat Intelligence Lookup with the ANY.RUN sandbox for hands-on intelligence gathering.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Conclusion

Razr ransomware is dangerous due to its strong encryption, cloud-based delivery, and ability to evade detection. Using tools like ANY.RUN is essential for proactively analyzing suspicious files and URLs, enabling early detection.

ANY.RUN offers real-time threat analysis in a sandboxed environment, providing insights into malware behavior visual tracking and other advanced features.

Sign up for a free ANY.RUN account today and start analyzing emerging threats with no limits!

HAVE A LOOK AT

Latrodectus screenshot
Latrodectus
latrodectus
Latrodectus is a malicious loader that is used by threat actors to gain a foothold on compromised devices and deploy additional malware. It has been associated with the IcedID trojan and has been used by APT groups in targeted attacks. The malware can gather system information, launch executables, and detect sandbox environments. It uses encryption and obfuscation to evade detection and can establish persistence on the infected device.
Read More
Lynx screenshot
Lynx
lynx
Lynx is a double extortion ransomware: attackers encrypt important and sensitive data and demand a ransom for decryption simultaneously threatening to publish or sell the data. Active since mid-2024. Among techniques are terminating processes and services, privilege escalation, deleting shadow copies. Distribution by phishing, malvertising, exploiting vulnerabilities.
Read More
Havoc screenshot
Havoc
havoc
Havoc is an advanced post-exploitation framework used by hackers to take control of a system once they've breached it. With Havoc, attackers can run commands remotely, inject malicious processes, and access sensitive data. It's often used in targeted attacks, allowing cybercriminals to stay hidden in a network while stealing information or launching further attacks. Its flexibility and ability to bypass detection make it a serious threat, especially in environments that rely on traditional security tools.
Read More
LokiBot screenshot
LokiBot
lokibot loader trojan
LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.
Read More
Balada Injector screenshot
Balada Injector is a long-running malware campaign that targets WordPress websites by exploiting vulnerabilities in plugins and themes. The attackers inject malicious code into compromised sites, leading to unauthorized redirects, data theft, and the creation of [backdoors](https://any.run/malware-trends/backdoor) for persistent access. The campaign operates in waves, with spikes in activity observed every few weeks, continually adapting to exploit newly discovered vulnerabilities.
Read More
Gh0st RAT screenshot
Gh0st RAT
gh0st
Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails.
Read More