SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ransomexx (Back to overview)

RansomEXX

aka: Ransom X, Defray777

RansomExx is a ransomware family that targeted multiple companies starting in mid-2020. It shares commonalities with Defray777.

References
2020-11-06Kaspersky LabsFedor Sinitsyn, Vladimir Kuskov
@online{sinitsyn:20201106:ransomexx:3ca495c, author = {Fedor Sinitsyn and Vladimir Kuskov}, title = {{RansomEXX Trojan attacks Linux systems}}, date = {2020-11-06}, organization = {Kaspersky Labs}, url = {https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/}, language = {English}, urldate = {2020-11-09} } RansomEXX Trojan attacks Linux systems
RansomEXX RansomEXX
2020-11-06Palo Alto Networks Unit 42Ryan Tracey, Drew Schmitt, CRYPSIS
@online{tracey:20201106:indicators:1ec9384, author = {Ryan Tracey and Drew Schmitt and CRYPSIS}, title = {{Indicators of Compromise related to Cobaltstrike, PyXie Lite, Vatet and Defray777}}, date = {2020-11-06}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/}, language = {English}, urldate = {2020-11-12} } Indicators of Compromise related to Cobaltstrike, PyXie Lite, Vatet and Defray777
Cobalt Strike PyXie RansomEXX
2020-11-06Palo Alto Networks Unit 42Ryan Tracey, Drew Schmitt, CRYPSIS
@online{tracey:20201106:last:11cf9f2, author = {Ryan Tracey and Drew Schmitt and CRYPSIS}, title = {{Last, but Not Least: Defray777}}, date = {2020-11-06}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3}, language = {English}, urldate = {2020-11-12} } Last, but Not Least: Defray777
PyXie RansomEXX
2020-11-06Palo Alto Networks Unit 42Ryan Tracey, Drew Schmitt, CRYPSIS
@online{tracey:20201106:when:8e743b9, author = {Ryan Tracey and Drew Schmitt and CRYPSIS}, title = {{When Threat Actors Fly Under the Radar: Vatet, PyXie and Defray777}}, date = {2020-11-06}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/}, language = {English}, urldate = {2020-11-12} } When Threat Actors Fly Under the Radar: Vatet, PyXie and Defray777
PyXie RansomEXX
2020-11-06Palo Alto Networks Unit 42Ryan Tracey, Drew Schmitt, CRYPSIS
@online{tracey:20201106:linking:152fbf2, author = {Ryan Tracey and Drew Schmitt and CRYPSIS}, title = {{Linking Vatet, PyXie and Defray777}}, date = {2020-11-06}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4}, language = {English}, urldate = {2020-11-12} } Linking Vatet, PyXie and Defray777
PyXie RansomEXX
2020-11-05Bleeping ComputerSergiu Gatlan
@online{gatlan:20201105:brazils:f1f0810, author = {Sergiu Gatlan}, title = {{Brazil's court system under massive RansomExx ransomware attack}}, date = {2020-11-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/brazils-court-system-under-massive-ransomexx-ransomware-attack/}, language = {English}, urldate = {2020-11-09} } Brazil's court system under massive RansomExx ransomware attack
RansomEXX
2020-06-26BleepingComputerLawrence Abrams
@online{abrams:20200626:new:d6e2d17, author = {Lawrence Abrams}, title = {{New Ransom X Ransomware used in Texas TxDOT cyberattack}}, date = {2020-06-26}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/}, language = {English}, urldate = {2020-07-11} } New Ransom X Ransomware used in Texas TxDOT cyberattack
RansomEXX
2020-06-26Github (Bleeping)Lawrence Abrams
@online{abrams:20200626:ransom:9e453cd, author = {Lawrence Abrams}, title = {{Ransom .exx notes}}, date = {2020-06-26}, organization = {Github (Bleeping)}, url = {https://github.com/Bleeping/Ransom.exx}, language = {English}, urldate = {2020-07-11} } Ransom .exx notes
RansomEXX
2020-06-17Andrew Ivanov
@online{ivanov:20200617:ransomexx:ab0e087, author = {Andrew Ivanov}, title = {{RansomEXX Ransomware}}, date = {2020-06-17}, url = {https://id-ransomware.blogspot.com/2020/06/ransomexx-ransomware.html}, language = {Russian}, urldate = {2020-07-08} } RansomEXX Ransomware
RansomEXX
Yara Rules
[TLP:WHITE] win_ransomexx_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_ransomexx_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomexx"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8945e0 8b45fc 3345f4 3345f0 0345d8 0345a0 c1c00c }
            // n = 7, score = 100
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   3345f4               | xor                 eax, dword ptr [ebp - 0xc]
            //   3345f0               | xor                 eax, dword ptr [ebp - 0x10]
            //   0345d8               | add                 eax, dword ptr [ebp - 0x28]
            //   0345a0               | add                 eax, dword ptr [ebp - 0x60]
            //   c1c00c               | rol                 eax, 0xc

        $sequence_1 = { 85c0 0f855c010000 8d9424c4010000 68???????? 52 e8???????? 83c408 }
            // n = 7, score = 100
            //   85c0                 | test                eax, eax
            //   0f855c010000         | jne                 0x162
            //   8d9424c4010000       | lea                 edx, [esp + 0x1c4]
            //   68????????           |                     
            //   52                   | push                edx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8

        $sequence_2 = { 8b44b5c4 46 85c0 75ef 57 ff15???????? 85c0 }
            // n = 7, score = 100
            //   8b44b5c4             | mov                 eax, dword ptr [ebp + esi*4 - 0x3c]
            //   46                   | inc                 esi
            //   85c0                 | test                eax, eax
            //   75ef                 | jne                 0xfffffff1
            //   57                   | push                edi
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_3 = { 8b4d10 8b5104 8955fc 33d2 33f6 33db }
            // n = 6, score = 100
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   8b5104               | mov                 edx, dword ptr [ecx + 4]
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   33d2                 | xor                 edx, edx
            //   33f6                 | xor                 esi, esi
            //   33db                 | xor                 ebx, ebx

        $sequence_4 = { 8bd1 c1ea10 c1e918 885002 884803 8b4df8 8bd1 }
            // n = 7, score = 100
            //   8bd1                 | mov                 edx, ecx
            //   c1ea10               | shr                 edx, 0x10
            //   c1e918               | shr                 ecx, 0x18
            //   885002               | mov                 byte ptr [eax + 2], dl
            //   884803               | mov                 byte ptr [eax + 3], cl
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   8bd1                 | mov                 edx, ecx

        $sequence_5 = { 0bd9 23da 23f9 0bdf 8b7ddc 03de 8bf7 }
            // n = 7, score = 100
            //   0bd9                 | or                  ebx, ecx
            //   23da                 | and                 ebx, edx
            //   23f9                 | and                 edi, ecx
            //   0bdf                 | or                  ebx, edi
            //   8b7ddc               | mov                 edi, dword ptr [ebp - 0x24]
            //   03de                 | add                 ebx, esi
            //   8bf7                 | mov                 esi, edi

        $sequence_6 = { 037db4 03c7 8b7df8 8dbc079979825a 8b45f0 c1c802 33d8 }
            // n = 7, score = 100
            //   037db4               | add                 edi, dword ptr [ebp - 0x4c]
            //   03c7                 | add                 eax, edi
            //   8b7df8               | mov                 edi, dword ptr [ebp - 8]
            //   8dbc079979825a       | lea                 edi, [edi + eax + 0x5a827999]
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   c1c802               | ror                 eax, 2
            //   33d8                 | xor                 ebx, eax

        $sequence_7 = { 8b55e4 33d0 3355d0 8bdf 0b5df8 3355bc 235df0 }
            // n = 7, score = 100
            //   8b55e4               | mov                 edx, dword ptr [ebp - 0x1c]
            //   33d0                 | xor                 edx, eax
            //   3355d0               | xor                 edx, dword ptr [ebp - 0x30]
            //   8bdf                 | mov                 ebx, edi
            //   0b5df8               | or                  ebx, dword ptr [ebp - 8]
            //   3355bc               | xor                 edx, dword ptr [ebp - 0x44]
            //   235df0               | and                 ebx, dword ptr [ebp - 0x10]

        $sequence_8 = { 85c9 7424 8b45e4 03c0 03c0 740e 50 }
            // n = 7, score = 100
            //   85c9                 | test                ecx, ecx
            //   7424                 | je                  0x26
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   03c0                 | add                 eax, eax
            //   03c0                 | add                 eax, eax
            //   740e                 | je                  0x10
            //   50                   | push                eax

        $sequence_9 = { 0345e8 03c2 c1c00e 0345e4 8945fc 8bc3 c1c00a }
            // n = 7, score = 100
            //   0345e8               | add                 eax, dword ptr [ebp - 0x18]
            //   03c2                 | add                 eax, edx
            //   c1c00e               | rol                 eax, 0xe
            //   0345e4               | add                 eax, dword ptr [ebp - 0x1c]
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8bc3                 | mov                 eax, ebx
            //   c1c00a               | rol                 eax, 0xa

    condition:
        7 of them and filesize < 372736
}
Download all Yara Rules