ALPS blog

RansomEXX is a ransomware variant that gained notoriety after a spate of attacks in 2020 and continues to be active today. With its targeted nature and history for choosing high-profile victims, we shine our spotlight on RansomEXX to reveal its tactics, techniques, and procedures.

RansomExx is a ransomware variant that debuted as Defray777 in 2018. It made a name for itself in 2020, after it was used in widely reported attacks on government agencies, manufacturers, and other such high-profile only months apart. By then, it was dubbed RansomEXX after the string “ransom.exx” was found in its binary. In 2020, the group also started a leak site for publishing stolen data.

Today, RansomEXX remains an active name among other ransomware variants like LockBit and Conti. Like other groups, the one running RansomEXX appears to have no qualms about publishing data stolen from its targets. It has also published information stolen from government agencies — a recent case was an attack on a Scottish mental health charity in March 2022, where they published 12GB worth of data that included the personal information and even credit card details of the charity’s volunteers.

This paints a picture of how RansomEXX operates and why it should be thwarted. To help in this regard, this report looks into its specific tactics, tools, and methods, so that organizations can be better prepared to defend against it.

What do organizations need to know about RansomEXX

RansomEXX is another ransomware variant that runs on a ransomware-as-a-service (RaaS) model and has been consistently active since its discovery. Up to the present, RansomEXX has been responsible for attacks and publishing stolen data on its leak site. Here is an overview of what RansomEXX is known for:

Aside from these known characteristics of RansomEXX, an interesting development in its more recent history is its attack on a mental health charity. Prior to this particular attack, RansomEXX targeted larger organizations like a government agency, a major clothing store in Brazil, and many others. Ransomware groups are known to choose targets based on their ability to pay hefty ransoms, making the attack on the charity organization a particular departure.

Operating as an RaaS, the actors behind RansomEXX conduct reconnaissance before each campaign to help them choose the right tools from their arsenal to build an efficient attack. For example, RansomEXX has employed IcedID and Vatet loader, among others, for an attack in which deploying the ransomware only took five hours after initial access. The next sections look at the regions and industries the group has targeted most often, based on our detections.