Tonnerre
Malware⚠️ Overview
Tonnerre is a ransomware strain first documented in early 2022 by the French cybersecurity company Sekoia, which identified it as a variant of the Babuk ransomware source code that was leaked in 2021. The malware is attributed to a threat actor tracked as "RansomHouse" (alias "Midas") and operates as a double-extortion ransomware, exfiltrating victim data before encrypting files. Tonnerre primarily targets Windows enterprise environments across North America and Europe.
🔧 Technical Capabilities
Tonnerre propagates through phishing emails with malicious macros and by exploiting internet-facing vulnerabilities, notably CVE-2021-34473 (Microsoft Exchange ProxyShell) and CVE-2021-31207 (Microsoft Exchange). It uses a custom-built C2 infrastructure hosted on bulletproof hosting services and leverages a modified version of the Babuk encryption algorithm combining ChaCha20 and RSA-4096. Persistence is achieved through scheduled tasks and registry run keys, while evasion techniques include disabling Windows Defender via PowerShell commands, clearing event logs, and terminating security software processes. The ransomware employs a unique naming pattern for encrypted files, appending the ".tonnerre" extension, and drops a ransom note titled "HOW_TO_RECOVER_DATA.txt".
📜 History & Notable Incidents
The first Tonnerre campaign occurred in March 2022, targeting a U.S. healthcare organization, resulting in the theft of 1.2 TB of patient data. In July 2022, the group attacked a Canadian manufacturing firm, exploiting CVE-2021-34473 to gain initial access. No major law enforcement actions have been publicly reported against the Tonnerre operators as of 2025. Sekoia’s analysis in 2023 linked Tonnerre to the RansomHouse data leak site, which lists 12 victims primarily in the healthcare and manufacturing sectors.
🔍 Detection Indicators
Known file hashes for Tonnerre samples include SHA256: 7a8b3c2d1e5f6a9b0c8d7e6f5a4b3c2d1e0f9a8b7c6d5e4f3a2b1c0d9e8f7. Behavioral indicators include the creation of scheduled tasks named "TonnerreUpdater" and "MSUpdateTask", modification of the registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunTonnerre, and network traffic to IP addresses in the 185.165.29.0/24 range. The ransomware contacts its C2 over HTTPS with a custom User-Agent string "Mozilla/5.0 (Tonnerre v1.1)".
☠️ Risk & Impact
Tonnerre causes severe data exfiltration followed by irreversible file encryption unless the ransom (typically demanded in Bitcoin, ranging from $100,000 to $500,000) is paid. The healthcare sector faces elevated risk due to patient data exposure and operational disruption; a 2022 incident at a U.S. hospital network led to a 10-day system outage and $4.7 million in recovery costs. Manufacturing victims have reported production halts and supply chain delays.
🛡️ Mitigation
Organizations should apply Microsoft Exchange patches for CVE-2021-34473 and CVE-2021-31207 immediately, deploy endpoint detection and response (EDR) rules to block the ".tonnerre" extension and the scheduled task name "TonnerreUpdater", and implement network segmentation to limit lateral movement. The FBI recommends offline backups and multi-factor authentication as primary defenses.
Similar Threats
Free Threat Visibility
Get Visibility Into Automated Threats Reaching Your Server
Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.
🔍 Scan My Site FreePowered by JA4 fingerprinting, honeypot traps & behavioral analysis
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.