ALPS blog

Ransomware Spotlight: RansomEXX

RansomEXX is a ransomware variant that gained notoriety after a spate of attacks in 2020 and continues to be active today. With its targeted nature and history for choosing high-profile victims, we shine our spotlight on RansomEXX to reveal its tactics, techniques, and procedures.

RansomExx is a ransomware variant that debuted as Defray777 in 2018. It made a name for itself in 2020, after it was used in widely reported attacks on government agencies, manufacturers, and other such high-profile only months apart. By then, it was dubbed RansomEXX after the string “ransom.exx” was found in its binary. In 2020, the group also started a leak site for publishing stolen data.

Today, RansomEXX remains an active name among other ransomware variants like LockBit and Conti. Like other groups, the one running RansomEXX appears to have no qualms about publishing data stolen from its targets. It has also published information stolen from government agencies — a recent case was an attack on a Scottish mental health charity in March 2022, where they published 12GB worth of data that included the personal information and even credit card details of the charity’s volunteers.

This paints a picture of how RansomEXX operates and why it should be thwarted. To help in this regard, this report looks into its specific tactics, tools, and methods, so that organizations can be better prepared to defend against it.

What do organizations need to know about RansomEXX

RansomEXX is another ransomware variant that runs on a ransomware-as-a-service (RaaS) model and has been consistently active since its discovery. Up to the present, RansomEXX has been responsible for attacks and publishing stolen data on its leak site. Here is an overview of what RansomEXX is known for:

  • It has both a Windows and Linux variant. RansomEXX’s Linux version, discovered in late 2020, marked the first known time a major Windows ransomware variant expanded to Linux. This move allows modern ransomware variants to target core infrastructure that are often running on Linux.
  • Linked to the threat group Gold Dupont. The threat group has been active since 2018. They are a financially motivated cybercriminal group with a main arsenal that includes RansomEXX or Defray777, Cobalt Strike, Metasploit, and Vatet Loader.
  • Uses trojanized legitimate tools. RansomEXX campaigns, as typical of Gold Dupont attacks, involve malware like Vatet Loader, PyXie RAT, TrickBot, and post-intrusion tools like Cobalt Strike as part of their arsenal. The use of trojanized legitimate tools is common among modern ransomware variants, allowing them to deploy payloads faster while avoiding detection.
  • Hardcoded name of the target in its binary. One of the key indicators of RansomEXX’s targeted nature is how it has its target’s name hardcoded in its binary. It demonstrates how RansomEXX attacks involve a certain amount of preparation and are tailored to their chosen victim’s profile.

Aside from these known characteristics of RansomEXX, an interesting development in its more recent history is its attack on a mental health charity. Prior to this particular attack, RansomEXX targeted larger organizations like a government agency, a major clothing store in Brazil, and many others. Ransomware groups are known to choose targets based on their ability to pay hefty ransoms, making the attack on the charity organization a particular departure.

Operating as an RaaS, the actors behind RansomEXX conduct reconnaissance before each campaign to help them choose the right tools from their arsenal to build an efficient attack. For example, RansomEXX has employed IcedID and Vatet loader, among others, for an attack in which deploying the ransomware only took five hours after initial access. The next sections look at the regions and industries the group has targeted most often, based on our detections.


Featured News