SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ransomexx (Back to overview)

RansomEXX

aka: Ransom X, Defray777

RansomExx is a ransomware family that targeted multiple companies starting in mid-2020. It shares commonalities with Defray777.

References
2021-02-26CrowdStrikeEric Loui, Sergei Frankoff
@online{loui:20210226:hypervisor:8dadf9c, author = {Eric Loui and Sergei Frankoff}, title = {{Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact}}, date = {2021-02-26}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout}, language = {English}, urldate = {2021-03-02} } Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
RansomEXX Griffon Carbanak Cobalt Strike IcedID MimiKatz PyXie RansomEXX REvil
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon Ransomware BazarBackdoor Clop Cobalt Strike Conti Ransomware Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet Ransomware ShadowPad SmokeLoader Snake Ransomware SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader
2021-02-02CRONUPGermán Fernández
@online{fernndez:20210202:de:6ff4f3a, author = {Germán Fernández}, title = {{De ataque con Malware a incidente de Ransomware}}, date = {2021-02-02}, organization = {CRONUP}, url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware}, language = {Spanish}, urldate = {2021-03-02} } De ataque con Malware a incidente de Ransomware
Avaddon Ransomware BazarBackdoor Buer Clop Cobalt Strike Conti Ransomware DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2021-01-26CybereasonDaniel Frank
@online{frank:20210126:cybereason:8b4d681, author = {Daniel Frank}, title = {{Cybereason vs. RansomEXX Ransomware}}, date = {2021-01-26}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware}, language = {English}, urldate = {2021-01-27} } Cybereason vs. RansomEXX Ransomware
RansomEXX RansomEXX
2021-01-06Trend MicroLeandro Froes
@online{froes:20210106:expanding:c61590d, author = {Leandro Froes}, title = {{Expanding Range and Improving Speed: A RansomExx Approach}}, date = {2021-01-06}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/a/expanding-range-and-improving-speed-a-ransomexx-approach.html}, language = {English}, urldate = {2021-01-11} } Expanding Range and Improving Speed: A RansomExx Approach
RansomEXX
2020-12-09CiscoDavid Liebenberg, Caitlin Huey
@online{liebenberg:20201209:quarterly:9ed3062, author = {David Liebenberg and Caitlin Huey}, title = {{Quarterly Report: Incident Response trends from Fall 2020}}, date = {2020-12-09}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html}, language = {English}, urldate = {2020-12-10} } Quarterly Report: Incident Response trends from Fall 2020
Cobalt Strike IcedID Maze RansomEXX Ryuk
2020-11-06Kaspersky LabsFedor Sinitsyn, Vladimir Kuskov
@online{sinitsyn:20201106:ransomexx:3ca495c, author = {Fedor Sinitsyn and Vladimir Kuskov}, title = {{RansomEXX Trojan attacks Linux systems}}, date = {2020-11-06}, organization = {Kaspersky Labs}, url = {https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/}, language = {English}, urldate = {2020-11-09} } RansomEXX Trojan attacks Linux systems
RansomEXX RansomEXX
2020-11-06Palo Alto Networks Unit 42Ryan Tracey, Drew Schmitt, CRYPSIS
@online{tracey:20201106:indicators:1ec9384, author = {Ryan Tracey and Drew Schmitt and CRYPSIS}, title = {{Indicators of Compromise related to Cobaltstrike, PyXie Lite, Vatet and Defray777}}, date = {2020-11-06}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/}, language = {English}, urldate = {2020-11-12} } Indicators of Compromise related to Cobaltstrike, PyXie Lite, Vatet and Defray777
Cobalt Strike PyXie RansomEXX
2020-11-06Palo Alto Networks Unit 42Ryan Tracey, Drew Schmitt, CRYPSIS
@online{tracey:20201106:last:11cf9f2, author = {Ryan Tracey and Drew Schmitt and CRYPSIS}, title = {{Last, but Not Least: Defray777}}, date = {2020-11-06}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3}, language = {English}, urldate = {2020-11-12} } Last, but Not Least: Defray777
PyXie RansomEXX
2020-11-06Palo Alto Networks Unit 42Ryan Tracey, Drew Schmitt, CRYPSIS
@online{tracey:20201106:when:8e743b9, author = {Ryan Tracey and Drew Schmitt and CRYPSIS}, title = {{When Threat Actors Fly Under the Radar: Vatet, PyXie and Defray777}}, date = {2020-11-06}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/}, language = {English}, urldate = {2020-11-12} } When Threat Actors Fly Under the Radar: Vatet, PyXie and Defray777
PyXie RansomEXX
2020-11-06Palo Alto Networks Unit 42Ryan Tracey, Drew Schmitt, CRYPSIS
@online{tracey:20201106:linking:152fbf2, author = {Ryan Tracey and Drew Schmitt and CRYPSIS}, title = {{Linking Vatet, PyXie and Defray777}}, date = {2020-11-06}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4}, language = {English}, urldate = {2020-11-12} } Linking Vatet, PyXie and Defray777
PyXie RansomEXX
2020-11-05Bleeping ComputerSergiu Gatlan
@online{gatlan:20201105:brazils:f1f0810, author = {Sergiu Gatlan}, title = {{Brazil's court system under massive RansomExx ransomware attack}}, date = {2020-11-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/brazils-court-system-under-massive-ransomexx-ransomware-attack/}, language = {English}, urldate = {2020-11-09} } Brazil's court system under massive RansomExx ransomware attack
RansomEXX
2020-06-26BleepingComputerLawrence Abrams
@online{abrams:20200626:new:d6e2d17, author = {Lawrence Abrams}, title = {{New Ransom X Ransomware used in Texas TxDOT cyberattack}}, date = {2020-06-26}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/}, language = {English}, urldate = {2020-07-11} } New Ransom X Ransomware used in Texas TxDOT cyberattack
RansomEXX
2020-06-26Github (Bleeping)Lawrence Abrams
@online{abrams:20200626:ransom:9e453cd, author = {Lawrence Abrams}, title = {{Ransom .exx notes}}, date = {2020-06-26}, organization = {Github (Bleeping)}, url = {https://github.com/Bleeping/Ransom.exx}, language = {English}, urldate = {2020-07-11} } Ransom .exx notes
RansomEXX
2020-06-17Andrew Ivanov
@online{ivanov:20200617:ransomexx:ab0e087, author = {Andrew Ivanov}, title = {{RansomEXX Ransomware}}, date = {2020-06-17}, url = {https://id-ransomware.blogspot.com/2020/06/ransomexx-ransomware.html}, language = {Russian}, urldate = {2020-07-08} } RansomEXX Ransomware
RansomEXX
Yara Rules
[TLP:WHITE] win_ransomexx_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_ransomexx_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomexx"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 88580c 8bcb 8bd3 c1e908 c1ea10 88480d 8b0d???????? }
            // n = 7, score = 100
            //   88580c               | mov                 byte ptr [eax + 0xc], bl
            //   8bcb                 | mov                 ecx, ebx
            //   8bd3                 | mov                 edx, ebx
            //   c1e908               | shr                 ecx, 8
            //   c1ea10               | shr                 edx, 0x10
            //   88480d               | mov                 byte ptr [eax + 0xd], cl
            //   8b0d????????         |                     

        $sequence_1 = { 8945e0 8b45d8 c1c00a 8945d8 8b45ec 3345f8 3345f0 }
            // n = 7, score = 100
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   8b45d8               | mov                 eax, dword ptr [ebp - 0x28]
            //   c1c00a               | rol                 eax, 0xa
            //   8945d8               | mov                 dword ptr [ebp - 0x28], eax
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   3345f8               | xor                 eax, dword ptr [ebp - 8]
            //   3345f0               | xor                 eax, dword ptr [ebp - 0x10]

        $sequence_2 = { 0345f4 8b5dcc 8945fc 8b45f8 c1c00a 8945f8 8b45d8 }
            // n = 7, score = 100
            //   0345f4               | add                 eax, dword ptr [ebp - 0xc]
            //   8b5dcc               | mov                 ebx, dword ptr [ebp - 0x34]
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   c1c00a               | rol                 eax, 0xa
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8b45d8               | mov                 eax, dword ptr [ebp - 0x28]

        $sequence_3 = { 895c0104 83c120 8954240c 83fa10 0f8cd3fdffff 83fa50 0f8df7000000 }
            // n = 7, score = 100
            //   895c0104             | mov                 dword ptr [ecx + eax + 4], ebx
            //   83c120               | add                 ecx, 0x20
            //   8954240c             | mov                 dword ptr [esp + 0xc], edx
            //   83fa10               | cmp                 edx, 0x10
            //   0f8cd3fdffff         | jl                  0xfffffdd9
            //   83fa50               | cmp                 edx, 0x50
            //   0f8df7000000         | jge                 0xfd

        $sequence_4 = { c1c802 33d8 235df8 897df4 335df0 c1c705 037dbc }
            // n = 7, score = 100
            //   c1c802               | ror                 eax, 2
            //   33d8                 | xor                 ebx, eax
            //   235df8               | and                 ebx, dword ptr [ebp - 8]
            //   897df4               | mov                 dword ptr [ebp - 0xc], edi
            //   335df0               | xor                 ebx, dword ptr [ebp - 0x10]
            //   c1c705               | rol                 edi, 5
            //   037dbc               | add                 edi, dword ptr [ebp - 0x44]

        $sequence_5 = { 0f84d5000000 33c0 8bff 6683bc45bcfdffff5c 750a }
            // n = 5, score = 100
            //   0f84d5000000         | je                  0xdb
            //   33c0                 | xor                 eax, eax
            //   8bff                 | mov                 edi, edi
            //   6683bc45bcfdffff5c     | cmp    word ptr [ebp + eax*2 - 0x244], 0x5c
            //   750a                 | jne                 0xc

        $sequence_6 = { c1c60a 33fe 8bf2 c1ce02 33fe 8b75dc 037df8 }
            // n = 7, score = 100
            //   c1c60a               | rol                 esi, 0xa
            //   33fe                 | xor                 edi, esi
            //   8bf2                 | mov                 esi, edx
            //   c1ce02               | ror                 esi, 2
            //   33fe                 | xor                 edi, esi
            //   8b75dc               | mov                 esi, dword ptr [ebp - 0x24]
            //   037df8               | add                 edi, dword ptr [ebp - 8]

        $sequence_7 = { 010e 114604 394604 770d 7204 390e 7307 }
            // n = 7, score = 100
            //   010e                 | add                 dword ptr [esi], ecx
            //   114604               | adc                 dword ptr [esi + 4], eax
            //   394604               | cmp                 dword ptr [esi + 4], eax
            //   770d                 | ja                  0xf
            //   7204                 | jb                  6
            //   390e                 | cmp                 dword ptr [esi], ecx
            //   7307                 | jae                 9

        $sequence_8 = { 8b70fc 33f1 894808 89700c 83fa28 0f8214feffff 5f }
            // n = 7, score = 100
            //   8b70fc               | mov                 esi, dword ptr [eax - 4]
            //   33f1                 | xor                 esi, ecx
            //   894808               | mov                 dword ptr [eax + 8], ecx
            //   89700c               | mov                 dword ptr [eax + 0xc], esi
            //   83fa28               | cmp                 edx, 0x28
            //   0f8214feffff         | jb                  0xfffffe1a
            //   5f                   | pop                 edi

        $sequence_9 = { 03fb 897808 8b780c 03f9 8b4814 03ce }
            // n = 6, score = 100
            //   03fb                 | add                 edi, ebx
            //   897808               | mov                 dword ptr [eax + 8], edi
            //   8b780c               | mov                 edi, dword ptr [eax + 0xc]
            //   03f9                 | add                 edi, ecx
            //   8b4814               | mov                 ecx, dword ptr [eax + 0x14]
            //   03ce                 | add                 ecx, esi

    condition:
        7 of them and filesize < 372736
}
Download all Yara Rules