RansomEXX (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.ransomexx (Back to overview)

RansomEXX

aka: Ransom X, Defray777

Actor(s): GOLD DUPONT

VTCollection

RansomExx is a ransomware family that targeted multiple companies starting in mid-2020. It shares commonalities with Defray777.

References

2025-04-08 ⋅ Microsoft ⋅ Microsoft Threat Intelligence
Exploitation of CLFS zero-day leads to ransomware activity
RansomEXX Storm-2460

2022-11-30 ⋅ SentinelOne ⋅ SentinelOne
RansomEXX Ransomware: In-Depth Analysis, Detection, and Mitigation
RansomEXX RansomEXX

2022-05-17 ⋅ Trend Micro ⋅ Trend Micro Research
Ransomware Spotlight: RansomEXX
LaZagne Cobalt Strike IcedID MimiKatz PyXie RansomEXX TrickBot

2021-11-01 ⋅ FBI ⋅ FBI
PIN Number 20211101-001: Ransomware Actors Use Significant Financial Events and Stock Valuation to Facilitate Targeting and Extortion of Victims
DarkSide RansomEXX DarkSide PyXie RansomEXX

2021-09-30 ⋅ Medium proferosec-osm ⋅ Brenton Morris
RansomEXX, Fixing Corrupted Ransom
RansomEXX

2021-08-05 ⋅ KrebsOnSecurity ⋅ Brian Krebs
Ransomware Gangs and the Name Game Distraction
DarkSide RansomEXX Babuk Cerber Conti DarkSide DoppelPaymer Egregor FriedEx Gandcrab Hermes Maze RansomEXX REvil Ryuk Sekhmet

2021-08-03 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Ransomware attack hits Italy's Lazio region, affects COVID-19 site
LockBit RansomEXX

2021-07-17 ⋅ BleepingComputer ⋅ Lawrence Abrams
Ecuador's state-run CNT telco hit by RansomEXX ransomware
RansomEXX RansomEXX

2021-05-10 ⋅ DarkTracer ⋅ DarkTracer
Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX

2021-05-06 ⋅ Cyborg Security ⋅ Brandon Denker
Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX

2021-03-17 ⋅ Palo Alto Networks Unit 42 ⋅ Unit42
Ransomware Threat Report 2021
RansomEXX Dharma DoppelPaymer Gandcrab Mailto Maze Phobos RansomEXX REvil Ryuk WastedLocker

2021-03-09 ⋅ Youtube (SANS Digital Forensics and Incident Response) ⋅ Eric Loui, Sergei Frankoff
Jackpotting ESXi Servers For Maximum Encryption | Eric Loui & Sergei Frankoff | SANS CTI Summit 2021
DarkSide RansomEXX DarkSide RansomEXX GOLD DUPONT

2021-03-01 ⋅ Group-IB ⋅ Oleg Skulkin, Roman Rezvukhin, Semyon Rogachev
Ransomware Uncovered 2020/2021
RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader

2021-02-26 ⋅ CrowdStrike ⋅ Eric Loui, Sergei Frankoff
Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
DarkSide RansomEXX Griffon Carbanak Cobalt Strike DarkSide IcedID MimiKatz PyXie RansomEXX REvil

2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER

2021-02-02 ⋅ ⋅ CRONUP ⋅ Germán Fernández
De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader

2021-01-26 ⋅ Cybereason ⋅ Daniel Frank
Cybereason vs. RansomEXX Ransomware
RansomEXX RansomEXX

2021-01-06 ⋅ Trend Micro ⋅ Leandro Froes
Expanding Range and Improving Speed: A RansomExx Approach
RansomEXX

2021-01-01 ⋅ CrowdStrike ⋅ Eric Loui, Sergei Frankoff
Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
DarkSide RansomEXX DarkSide RansomEXX GOLD DUPONT

2020-12-09 ⋅ Cisco ⋅ Caitlin Huey, David Liebenberg
Quarterly Report: Incident Response trends from Fall 2020
Cobalt Strike IcedID Maze RansomEXX Ryuk

2020-11-06 ⋅ Palo Alto Networks Unit 42 ⋅ CRYPSIS, Drew Schmitt, Ryan Tracey
Indicators of Compromise related to Cobaltstrike, PyXie Lite, Vatet and Defray777
Cobalt Strike PyXie RansomEXX

2020-11-06 ⋅ Palo Alto Networks Unit 42 ⋅ CRYPSIS, Drew Schmitt, Ryan Tracey
Last, but Not Least: Defray777
PyXie RansomEXX

2020-11-06 ⋅ Palo Alto Networks Unit 42 ⋅ CRYPSIS, Drew Schmitt, Ryan Tracey
When Threat Actors Fly Under the Radar: Vatet, PyXie and Defray777
PyXie RansomEXX

2020-11-06 ⋅ Palo Alto Networks Unit 42 ⋅ CRYPSIS, Drew Schmitt, Ryan Tracey
Linking Vatet, PyXie and Defray777
PyXie RansomEXX

2020-11-06 ⋅ Kaspersky Labs ⋅ Fedor Sinitsyn, Vladimir Kuskov
RansomEXX Trojan attacks Linux systems
RansomEXX RansomEXX

2020-11-05 ⋅ Bleeping Computer ⋅ Sergiu Gatlan
Brazil's court system under massive RansomExx ransomware attack
RansomEXX

2020-06-26 ⋅ Github (Bleeping) ⋅ Lawrence Abrams
Ransom .exx notes
RansomEXX

2020-06-26 ⋅ BleepingComputer ⋅ Lawrence Abrams
New Ransom X Ransomware used in Texas TxDOT cyberattack
RansomEXX

2020-06-17 ⋅ ⋅ Andrew Ivanov
RansomEXX Ransomware
RansomEXX

Yara Rules

[TLP:WHITE] win_ransomexx_auto (20260504 | Detects win.ransomexx.)

rule win_ransomexx_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.ransomexx."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomexx"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c3 3bc8 735c 6a04 50 ff15???????? 8bd8 }
            // n = 7, score = 100
            //   c3                   | ret                 
            //   3bc8                 | cmp                 ecx, eax
            //   735c                 | jae                 0x5e
            //   6a04                 | push                4
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8bd8                 | mov                 ebx, eax

        $sequence_1 = { 897df8 3bf9 0f849d010000 eb03 8b7df8 8b5728 0fb77724 }
            // n = 7, score = 100
            //   897df8               | mov                 dword ptr [ebp - 8], edi
            //   3bf9                 | cmp                 edi, ecx
            //   0f849d010000         | je                  0x1a3
            //   eb03                 | jmp                 5
            //   8b7df8               | mov                 edi, dword ptr [ebp - 8]
            //   8b5728               | mov                 edx, dword ptr [edi + 0x28]
            //   0fb77724             | movzx               esi, word ptr [edi + 0x24]

        $sequence_2 = { 50 8d4df4 51 6a04 52 ffd6 }
            // n = 6, score = 100
            //   50                   | push                eax
            //   8d4df4               | lea                 ecx, [ebp - 0xc]
            //   51                   | push                ecx
            //   6a04                 | push                4
            //   52                   | push                edx
            //   ffd6                 | call                esi

        $sequence_3 = { 8d8424b8010000 e8???????? 83c007 c1e803 898424b4010000 8b842454020000 2bc6 }
            // n = 7, score = 100
            //   8d8424b8010000       | lea                 eax, [esp + 0x1b8]
            //   e8????????           |                     
            //   83c007               | add                 eax, 7
            //   c1e803               | shr                 eax, 3
            //   898424b4010000       | mov                 dword ptr [esp + 0x1b4], eax
            //   8b842454020000       | mov                 eax, dword ptr [esp + 0x254]
            //   2bc6                 | sub                 eax, esi

        $sequence_4 = { 83c40c 51 ff15???????? 83c404 8b4dd8 85c9 7425 }
            // n = 7, score = 100
            //   83c40c               | add                 esp, 0xc
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   83c404               | add                 esp, 4
            //   8b4dd8               | mov                 ecx, dword ptr [ebp - 0x28]
            //   85c9                 | test                ecx, ecx
            //   7425                 | je                  0x27

        $sequence_5 = { 750e 8b7d10 8d742410 e8???????? 8bf0 8b0d???????? 68d8000000 }
            // n = 7, score = 100
            //   750e                 | jne                 0x10
            //   8b7d10               | mov                 edi, dword ptr [ebp + 0x10]
            //   8d742410             | lea                 esi, [esp + 0x10]
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   8b0d????????         |                     
            //   68d8000000           | push                0xd8

        $sequence_6 = { 7507 c7431001000000 a1???????? 6880010000 8d957cfeffff 6a00 52 }
            // n = 7, score = 100
            //   7507                 | jne                 9
            //   c7431001000000       | mov                 dword ptr [ebx + 0x10], 1
            //   a1????????           |                     
            //   6880010000           | push                0x180
            //   8d957cfeffff         | lea                 edx, [ebp - 0x184]
            //   6a00                 | push                0
            //   52                   | push                edx

        $sequence_7 = { 33f6 3935???????? 750f e8???????? c705????????01000000 0f31 a3???????? }
            // n = 7, score = 100
            //   33f6                 | xor                 esi, esi
            //   3935????????         |                     
            //   750f                 | jne                 0x11
            //   e8????????           |                     
            //   c705????????01000000     |     
            //   0f31                 | rdtsc               
            //   a3????????           |                     

        $sequence_8 = { e8???????? 8bf0 83c404 85f6 0f8582030000 8b4514 85c0 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   83c404               | add                 esp, 4
            //   85f6                 | test                esi, esi
            //   0f8582030000         | jne                 0x388
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]
            //   85c0                 | test                eax, eax

        $sequence_9 = { 3dea000000 74b7 8b4618 03c6 7454 8b4808 }
            // n = 6, score = 100
            //   3dea000000           | cmp                 eax, 0xea
            //   74b7                 | je                  0xffffffb9
            //   8b4618               | mov                 eax, dword ptr [esi + 0x18]
            //   03c6                 | add                 eax, esi
            //   7454                 | je                  0x56
            //   8b4808               | mov                 ecx, dword ptr [eax + 8]

    condition:
        7 of them and filesize < 372736
}

Download all Yara Rules

RansomEXX Propose Change

References

Yara Rules

RansomEXX