SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ransomexx (Back to overview)

RansomEXX

aka: Ransom X, Defray777

Actor(s): GOLD DUPONT


RansomExx is a ransomware family that targeted multiple companies starting in mid-2020. It shares commonalities with Defray777.

References
2021-11-01FBIFBI
@techreport{fbi:20211101:pin:a9b78d3, author = {FBI}, title = {{PIN Number 20211101-001: Ransomware Actors Use Significant Financial Events and Stock Valuation to Facilitate Targeting and Extortion of Victims}}, date = {2021-11-01}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2021/211101.pdf}, language = {English}, urldate = {2021-11-03} } PIN Number 20211101-001: Ransomware Actors Use Significant Financial Events and Stock Valuation to Facilitate Targeting and Extortion of Victims
DarkSide RansomEXX DarkSide PyXie RansomEXX
2021-09-30Medium proferosec-osmBrenton Morris
@online{morris:20210930:ransomexx:2ca1e51, author = {Brenton Morris}, title = {{RansomEXX, Fixing Corrupted Ransom}}, date = {2021-09-30}, organization = {Medium proferosec-osm}, url = {https://medium.com/proferosec-osm/ransomexx-fixing-corrupted-ransom-8e379bcaf701}, language = {English}, urldate = {2021-10-20} } RansomEXX, Fixing Corrupted Ransom
RansomEXX
2021-08-05KrebsOnSecurityBrian Krebs
@online{krebs:20210805:ransomware:0962b82, author = {Brian Krebs}, title = {{Ransomware Gangs and the Name Game Distraction}}, date = {2021-08-05}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/}, language = {English}, urldate = {2021-12-13} } Ransomware Gangs and the Name Game Distraction
DarkSide RansomEXX Babuk Cerber Conti DarkSide DoppelPaymer Egregor FriedEx Gandcrab Hermes Maze RansomEXX REvil Ryuk Sekhmet
2021-08-03Bleeping ComputerLawrence Abrams
@online{abrams:20210803:ransomware:d1b938f, author = {Lawrence Abrams}, title = {{Ransomware attack hits Italy's Lazio region, affects COVID-19 site}}, date = {2021-08-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-attack-hits-italys-lazio-region-affects-covid-19-site/}, language = {English}, urldate = {2021-08-06} } Ransomware attack hits Italy's Lazio region, affects COVID-19 site
LockBit RansomEXX
2021-07-17BleepingComputerLawrence Abrams
@online{abrams:20210717:ecuadors:3940c8e, author = {Lawrence Abrams}, title = {{Ecuador's state-run CNT telco hit by RansomEXX ransomware}}, date = {2021-07-17}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/ecuadors-state-run-cnt-telco-hit-by-ransomexx-ransomware/}, language = {English}, urldate = {2021-07-26} } Ecuador's state-run CNT telco hit by RansomEXX ransomware
RansomEXX RansomEXX
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-06Cyborg SecurityBrandon Denker
@online{denker:20210506:ransomware:a1f31df, author = {Brandon Denker}, title = {{Ransomware: Hunting for Inhibiting System Backup or Recovery}}, date = {2021-05-06}, organization = {Cyborg Security}, url = {https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/}, language = {English}, urldate = {2021-05-08} } Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX
2021-03-17Palo Alto Networks Unit 42Unit42
@techreport{unit42:20210317:ransomware:504cc32, author = {Unit42}, title = {{Ransomware Threat Report 2021}}, date = {2021-03-17}, institution = {Palo Alto Networks Unit 42}, url = {https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf}, language = {English}, urldate = {2021-03-19} } Ransomware Threat Report 2021
RansomEXX Dharma DoppelPaymer Gandcrab Mailto Maze Phobos RansomEXX REvil Ryuk WastedLocker
2021-03-09Youtube (SANS Digital Forensics and Incident Response)Eric Loui, Sergei Frankoff
@online{loui:20210309:jackpotting:1dcc95b, author = {Eric Loui and Sergei Frankoff}, title = {{Jackpotting ESXi Servers For Maximum Encryption | Eric Loui & Sergei Frankoff | SANS CTI Summit 2021}}, date = {2021-03-09}, organization = {Youtube (SANS Digital Forensics and Incident Response)}, url = {https://www.youtube.com/watch?v=qxPXxWMI2i4}, language = {English}, urldate = {2021-05-31} } Jackpotting ESXi Servers For Maximum Encryption | Eric Loui & Sergei Frankoff | SANS CTI Summit 2021
DarkSide RansomEXX DarkSide RansomEXX GOLD DUPONT
2021-03Group-IBOleg Skulkin, Roman Rezvukhin, Semyon Rogachev
@techreport{skulkin:202103:ransomware:992ca10, author = {Oleg Skulkin and Roman Rezvukhin and Semyon Rogachev}, title = {{Ransomware Uncovered 2020/2021}}, date = {2021-03}, institution = {Group-IB}, url = {https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf}, language = {English}, urldate = {2021-06-16} } Ransomware Uncovered 2020/2021
RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader
2021-02-26CrowdStrikeEric Loui, Sergei Frankoff
@online{loui:20210226:hypervisor:8dadf9c, author = {Eric Loui and Sergei Frankoff}, title = {{Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact}}, date = {2021-02-26}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout}, language = {English}, urldate = {2021-05-26} } Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
DarkSide RansomEXX Griffon Carbanak Cobalt Strike DarkSide IcedID MimiKatz PyXie RansomEXX REvil
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-02CRONUPGermán Fernández
@online{fernndez:20210202:de:6ff4f3a, author = {Germán Fernández}, title = {{De ataque con Malware a incidente de Ransomware}}, date = {2021-02-02}, organization = {CRONUP}, url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware}, language = {Spanish}, urldate = {2021-03-02} } De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2021-01-26CybereasonDaniel Frank
@online{frank:20210126:cybereason:8b4d681, author = {Daniel Frank}, title = {{Cybereason vs. RansomEXX Ransomware}}, date = {2021-01-26}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware}, language = {English}, urldate = {2021-01-27} } Cybereason vs. RansomEXX Ransomware
RansomEXX RansomEXX
2021-01-06Trend MicroLeandro Froes
@online{froes:20210106:expanding:c61590d, author = {Leandro Froes}, title = {{Expanding Range and Improving Speed: A RansomExx Approach}}, date = {2021-01-06}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/a/expanding-range-and-improving-speed-a-ransomexx-approach.html}, language = {English}, urldate = {2021-01-11} } Expanding Range and Improving Speed: A RansomExx Approach
RansomEXX
2021CrowdStrikeEric Loui, Sergei Frankoff
@online{loui:2021:hypervisor:ade976a, author = {Eric Loui and Sergei Frankoff}, title = {{Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact}}, date = {2021}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/}, language = {English}, urldate = {2021-05-31} } Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
DarkSide RansomEXX DarkSide RansomEXX GOLD DUPONT
2020-12-09CiscoDavid Liebenberg, Caitlin Huey
@online{liebenberg:20201209:quarterly:9ed3062, author = {David Liebenberg and Caitlin Huey}, title = {{Quarterly Report: Incident Response trends from Fall 2020}}, date = {2020-12-09}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html}, language = {English}, urldate = {2020-12-10} } Quarterly Report: Incident Response trends from Fall 2020
Cobalt Strike IcedID Maze RansomEXX Ryuk
2020-11-06Palo Alto Networks Unit 42Ryan Tracey, Drew Schmitt, CRYPSIS
@online{tracey:20201106:linking:152fbf2, author = {Ryan Tracey and Drew Schmitt and CRYPSIS}, title = {{Linking Vatet, PyXie and Defray777}}, date = {2020-11-06}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4}, language = {English}, urldate = {2020-11-12} } Linking Vatet, PyXie and Defray777
PyXie RansomEXX
2020-11-06Kaspersky LabsFedor Sinitsyn, Vladimir Kuskov
@online{sinitsyn:20201106:ransomexx:3ca495c, author = {Fedor Sinitsyn and Vladimir Kuskov}, title = {{RansomEXX Trojan attacks Linux systems}}, date = {2020-11-06}, organization = {Kaspersky Labs}, url = {https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/}, language = {English}, urldate = {2020-11-09} } RansomEXX Trojan attacks Linux systems
RansomEXX RansomEXX
2020-11-06Palo Alto Networks Unit 42Ryan Tracey, Drew Schmitt, CRYPSIS
@online{tracey:20201106:when:8e743b9, author = {Ryan Tracey and Drew Schmitt and CRYPSIS}, title = {{When Threat Actors Fly Under the Radar: Vatet, PyXie and Defray777}}, date = {2020-11-06}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/}, language = {English}, urldate = {2020-11-12} } When Threat Actors Fly Under the Radar: Vatet, PyXie and Defray777
PyXie RansomEXX
2020-11-06Palo Alto Networks Unit 42Ryan Tracey, Drew Schmitt, CRYPSIS
@online{tracey:20201106:indicators:1ec9384, author = {Ryan Tracey and Drew Schmitt and CRYPSIS}, title = {{Indicators of Compromise related to Cobaltstrike, PyXie Lite, Vatet and Defray777}}, date = {2020-11-06}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/}, language = {English}, urldate = {2020-11-12} } Indicators of Compromise related to Cobaltstrike, PyXie Lite, Vatet and Defray777
Cobalt Strike PyXie RansomEXX
2020-11-06Palo Alto Networks Unit 42Ryan Tracey, Drew Schmitt, CRYPSIS
@online{tracey:20201106:last:11cf9f2, author = {Ryan Tracey and Drew Schmitt and CRYPSIS}, title = {{Last, but Not Least: Defray777}}, date = {2020-11-06}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3}, language = {English}, urldate = {2020-11-12} } Last, but Not Least: Defray777
PyXie RansomEXX
2020-11-05Bleeping ComputerSergiu Gatlan
@online{gatlan:20201105:brazils:f1f0810, author = {Sergiu Gatlan}, title = {{Brazil's court system under massive RansomExx ransomware attack}}, date = {2020-11-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/brazils-court-system-under-massive-ransomexx-ransomware-attack/}, language = {English}, urldate = {2020-11-09} } Brazil's court system under massive RansomExx ransomware attack
RansomEXX
2020-06-26BleepingComputerLawrence Abrams
@online{abrams:20200626:new:d6e2d17, author = {Lawrence Abrams}, title = {{New Ransom X Ransomware used in Texas TxDOT cyberattack}}, date = {2020-06-26}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/}, language = {English}, urldate = {2020-07-11} } New Ransom X Ransomware used in Texas TxDOT cyberattack
RansomEXX
2020-06-26Github (Bleeping)Lawrence Abrams
@online{abrams:20200626:ransom:9e453cd, author = {Lawrence Abrams}, title = {{Ransom .exx notes}}, date = {2020-06-26}, organization = {Github (Bleeping)}, url = {https://github.com/Bleeping/Ransom.exx}, language = {English}, urldate = {2020-07-11} } Ransom .exx notes
RansomEXX
2020-06-17Andrew Ivanov
@online{ivanov:20200617:ransomexx:ab0e087, author = {Andrew Ivanov}, title = {{RansomEXX Ransomware}}, date = {2020-06-17}, url = {https://id-ransomware.blogspot.com/2020/06/ransomexx-ransomware.html}, language = {Russian}, urldate = {2020-07-08} } RansomEXX Ransomware
RansomEXX
Yara Rules
[TLP:WHITE] win_ransomexx_auto (20211008 | Detects win.ransomexx.)
rule win_ransomexx_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.ransomexx."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomexx"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 56 8d85a4f9ffff 7809 8bf7 e8???????? eb05 e8???????? }
            // n = 7, score = 100
            //   56                   | push                esi
            //   8d85a4f9ffff         | lea                 eax, dword ptr [ebp - 0x65c]
            //   7809                 | js                  0xb
            //   8bf7                 | mov                 esi, edi
            //   e8????????           |                     
            //   eb05                 | jmp                 7
            //   e8????????           |                     

        $sequence_1 = { 8d430f 8d4900 fe00 7508 48 8d1407 85d2 }
            // n = 7, score = 100
            //   8d430f               | lea                 eax, dword ptr [ebx + 0xf]
            //   8d4900               | lea                 ecx, dword ptr [ecx]
            //   fe00                 | inc                 byte ptr [eax]
            //   7508                 | jne                 0xa
            //   48                   | dec                 eax
            //   8d1407               | lea                 edx, dword ptr [edi + eax]
            //   85d2                 | test                edx, edx

        $sequence_2 = { 8bcc 33c0 3bc8 0f84eb000000 8bd1 81ea???????? 42 }
            // n = 7, score = 100
            //   8bcc                 | mov                 ecx, esp
            //   33c0                 | xor                 eax, eax
            //   3bc8                 | cmp                 ecx, eax
            //   0f84eb000000         | je                  0xf1
            //   8bd1                 | mov                 edx, ecx
            //   81ea????????         |                     
            //   42                   | inc                 edx

        $sequence_3 = { 8bff 8b30 8d55fc 52 6a00 56 }
            // n = 6, score = 100
            //   8bff                 | mov                 edi, edi
            //   8b30                 | mov                 esi, dword ptr [eax]
            //   8d55fc               | lea                 edx, dword ptr [ebp - 4]
            //   52                   | push                edx
            //   6a00                 | push                0
            //   56                   | push                esi

        $sequence_4 = { 83c404 85f6 0f85f6010000 8b4df0 8d45d0 50 8b45f4 }
            // n = 7, score = 100
            //   83c404               | add                 esp, 4
            //   85f6                 | test                esi, esi
            //   0f85f6010000         | jne                 0x1fc
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   8d45d0               | lea                 eax, dword ptr [ebp - 0x30]
            //   50                   | push                eax
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]

        $sequence_5 = { 41 4e 75f7 8b5df4 83c728 85d2 }
            // n = 6, score = 100
            //   41                   | inc                 ecx
            //   4e                   | dec                 esi
            //   75f7                 | jne                 0xfffffff9
            //   8b5df4               | mov                 ebx, dword ptr [ebp - 0xc]
            //   83c728               | add                 edi, 0x28
            //   85d2                 | test                edx, edx

        $sequence_6 = { b9???????? 8d85e4feffff 8d4900 8a10 3a11 751a 84d2 }
            // n = 7, score = 100
            //   b9????????           |                     
            //   8d85e4feffff         | lea                 eax, dword ptr [ebp - 0x11c]
            //   8d4900               | lea                 ecx, dword ptr [ecx]
            //   8a10                 | mov                 dl, byte ptr [eax]
            //   3a11                 | cmp                 dl, byte ptr [ecx]
            //   751a                 | jne                 0x1c
            //   84d2                 | test                dl, dl

        $sequence_7 = { 8bec 83ec0c 53 56 c745fc00000000 85ff 0f84c1000000 }
            // n = 7, score = 100
            //   8bec                 | mov                 ebp, esp
            //   83ec0c               | sub                 esp, 0xc
            //   53                   | push                ebx
            //   56                   | push                esi
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   85ff                 | test                edi, edi
            //   0f84c1000000         | je                  0xc7

        $sequence_8 = { 6a00 6880000008 6a03 6a00 6a00 68000000c0 57 }
            // n = 7, score = 100
            //   6a00                 | push                0
            //   6880000008           | push                0x8000080
            //   6a03                 | push                3
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   68000000c0           | push                0xc0000000
            //   57                   | push                edi

        $sequence_9 = { 0fb6530c 885704 0fb6430d 884705 0fb64b0e }
            // n = 5, score = 100
            //   0fb6530c             | movzx               edx, byte ptr [ebx + 0xc]
            //   885704               | mov                 byte ptr [edi + 4], dl
            //   0fb6430d             | movzx               eax, byte ptr [ebx + 0xd]
            //   884705               | mov                 byte ptr [edi + 5], al
            //   0fb64b0e             | movzx               ecx, byte ptr [ebx + 0xe]

    condition:
        7 of them and filesize < 372736
}
Download all Yara Rules