{"id":2992,"date":"2024-09-25T20:53:35","date_gmt":"2024-09-25T20:53:35","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2992"},"modified":"2025-07-29T06:54:31","modified_gmt":"2025-07-29T06:54:31","slug":"tron-ransomware-infecting-only-non-russian-victims","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/tron-ransomware-infecting-only-non-russian-victims\/","title":{"rendered":"Tron Ransomware &#8211; Infecting only Non-Russian Victims!"},"content":{"rendered":"<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img fetchpriority=\"high\" decoding=\"async\" width=\"424\" height=\"318\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/title-1.webp\" alt=\"\" class=\"wp-image-3020\"\/><\/figure>\n<\/div>\n\n\n<p><strong>Overview<\/strong><br><br>The LMNTRIX Threat Intelligence Platform has recently found a new variant of Tron, a ransomware that targets non-Russians, under the microscope. &nbsp;This sample underwent analysis:<br><br>File Hash (SHA-256): fb45f10c886974e29a57673769c0bc4e53fcaf063e172e38d92eea85bf570aff<br><br>File Size: 87.5 KB<br><br>File creation- TimeDateStamp: (Thu Apr 12 16:54:17 2018)<br><br><strong>Infection<\/strong><br><br>&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"974\" height=\"587\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/1-55.webp\" alt=\"\" class=\"wp-image-3013\"\/><\/figure>\n\n\n\n<p><br><br><em>Figure 1 VT result for Tron Ransomware<\/em><br><br><strong>Analysis of the Ransomware sample<\/strong><br><br>Our researcher team checked the file\u2019s PE details it found to be compiled using .Net.<br><br><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"629\" height=\"272\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/2-53.webp\" alt=\"\" class=\"wp-image-3014\"\/><\/figure>\n\n\n\n<p> &nbsp;<br><br><em>Figure 2 Compiled using .Net<\/em><br><br>We listed the following malicious indicator in the sample as shown in the screenshot:<br><br><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"792\" height=\"97\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/3-52.webp\" alt=\"\" class=\"wp-image-3015\"\/><\/figure>\n\n\n\n<p>&nbsp;<br><br><em>Figure 3 Malicious Indicator<\/em><br><br>Blacklisted strings count is 38 and the original file name is Tron.exe. Our researcher dissected the sample and analyse the code.<br><br><strong>Threat Indicators &nbsp; &nbsp;<\/strong> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;<br><br>When we dissected the codes, we found the file locations in the victim\u2019s system that would be targeted by the ransomware.<br><br><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"539\" height=\"254\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/4-53.webp\" alt=\"\" class=\"wp-image-3016\"\/><\/figure>\n\n\n\n<p> &nbsp;<br><br><em>Figure 4 Targeted folders<\/em><br><br>When we executed the file, it encrypted the files in all those folders listed above. And it added the file extension as \u2018Tron\u2019 after encryption:<br><br><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"492\" height=\"403\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/5-50.webp\" alt=\"\" class=\"wp-image-3017\"\/><\/figure>\n\n\n\n<p>&nbsp;<br><br><em>Figure 5 Tron Extension added after encryption<\/em><br><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"575\" height=\"415\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/6-47.webp\" alt=\"\" class=\"wp-image-3018\"\/><\/figure>\n\n\n\n<p>&nbsp;<br><br><em>Figure 6 Ransom notes and Payment methods<\/em><br><br><strong>Not Russia Then Exit<\/strong><br><br>In this code, we found that this ransomware sense the geo location and if it detects the location as Russia then it exits.<br><br><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"747\" height=\"205\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/7-46.webp\" alt=\"\" class=\"wp-image-3019\"\/><\/figure>\n\n\n\n<p> &nbsp;<br><br><em>Figure 7 If Russia then exit<\/em><br><br>Threat Indicators<br><br>IOC details:<br><\/p>\n\n\n\n<p>File Hashes:<br><br>SHA 256: fb45f10c886974e29a57673769c0bc4e53fcaf063e172e38d92eea85bf570aff<br><br>SHA 256: 41b9d94f13dd2b2d9d3b01df692f1837731a932e2ae938cccf34905064f6f30f<br><\/p>\n\n\n\n<p>File extension added by this variant of ransomware:<br><br>\u2018.tron\u2019<br><\/p>\n\n\n\n<p><strong>Conclusion<\/strong><br><br>We suspect that we will continue to see the rise of geo-targeted ransomware, which in part, has the advantage for threat actors of presumably limiting local law enforcement concerns about their activities since there targets are outside of their own geographic jurisdictions.<br><br>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Overview The LMNTRIX Threat Intelligence Platform has recently found a new variant of Tron, a ransomware that targets non-Russians, under the microscope. &nbsp;This sample underwent analysis: File Hash (SHA-256): fb45f10c886974e29a57673769c0bc4e53fcaf063e172e38d92eea85bf570aff File Size: 87.5 KB File creation- TimeDateStamp: (Thu Apr 12 16:54:17 2018) Infection &nbsp; Figure 1 VT result for Tron Ransomware Analysis of the Ransomware [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":3020,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2992","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2992","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2992"}],"version-history":[{"count":5,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2992\/revisions"}],"predecessor-version":[{"id":4351,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2992\/revisions\/4351"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/3020"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2992"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2992"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2992"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}