SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ransomexx (Back to overview)

RansomEXX

aka: Ransom X, Defray777

Actor(s): GOLD DUPONT

VTCollection    

RansomExx is a ransomware family that targeted multiple companies starting in mid-2020. It shares commonalities with Defray777.

References
2025-04-08MicrosoftMicrosoft Threat Intelligence
Exploitation of CLFS zero-day leads to ransomware activity
RansomEXX Storm-2460
2022-11-30SentinelOneSentinelOne
RansomEXX Ransomware: In-Depth Analysis, Detection, and Mitigation
RansomEXX RansomEXX
2022-05-17Trend MicroTrend Micro Research
Ransomware Spotlight: RansomEXX
LaZagne Cobalt Strike IcedID MimiKatz PyXie RansomEXX TrickBot
2021-11-01FBIFBI
PIN Number 20211101-001: Ransomware Actors Use Significant Financial Events and Stock Valuation to Facilitate Targeting and Extortion of Victims
DarkSide RansomEXX DarkSide PyXie RansomEXX
2021-09-30Medium proferosec-osmBrenton Morris
RansomEXX, Fixing Corrupted Ransom
RansomEXX
2021-08-05KrebsOnSecurityBrian Krebs
Ransomware Gangs and the Name Game Distraction
DarkSide RansomEXX Babuk Cerber Conti DarkSide DoppelPaymer Egregor FriedEx Gandcrab Hermes Maze RansomEXX REvil Ryuk Sekhmet
2021-08-03Bleeping ComputerLawrence Abrams
Ransomware attack hits Italy's Lazio region, affects COVID-19 site
LockBit RansomEXX
2021-07-17BleepingComputerLawrence Abrams
Ecuador's state-run CNT telco hit by RansomEXX ransomware
RansomEXX RansomEXX
2021-05-10DarkTracerDarkTracer
Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-06Cyborg SecurityBrandon Denker
Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX
2021-03-17Palo Alto Networks Unit 42Unit42
Ransomware Threat Report 2021
RansomEXX Dharma DoppelPaymer Gandcrab Mailto Maze Phobos RansomEXX REvil Ryuk WastedLocker
2021-03-09Youtube (SANS Digital Forensics and Incident Response)Eric Loui, Sergei Frankoff
Jackpotting ESXi Servers For Maximum Encryption | Eric Loui & Sergei Frankoff | SANS CTI Summit 2021
DarkSide RansomEXX DarkSide RansomEXX GOLD DUPONT
2021-03-01Group-IBOleg Skulkin, Roman Rezvukhin, Semyon Rogachev
Ransomware Uncovered 2020/2021
RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader
2021-02-26CrowdStrikeEric Loui, Sergei Frankoff
Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
DarkSide RansomEXX Griffon Carbanak Cobalt Strike DarkSide IcedID MimiKatz PyXie RansomEXX REvil
2021-02-23CrowdStrikeCrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-02CRONUPGermán Fernández
De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2021-01-26CybereasonDaniel Frank
Cybereason vs. RansomEXX Ransomware
RansomEXX RansomEXX
2021-01-06Trend MicroLeandro Froes
Expanding Range and Improving Speed: A RansomExx Approach
RansomEXX
2021-01-01CrowdStrikeEric Loui, Sergei Frankoff
Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
DarkSide RansomEXX DarkSide RansomEXX GOLD DUPONT
2020-12-09CiscoCaitlin Huey, David Liebenberg
Quarterly Report: Incident Response trends from Fall 2020
Cobalt Strike IcedID Maze RansomEXX Ryuk
2020-11-06Palo Alto Networks Unit 42CRYPSIS, Drew Schmitt, Ryan Tracey
Indicators of Compromise related to Cobaltstrike, PyXie Lite, Vatet and Defray777
Cobalt Strike PyXie RansomEXX
2020-11-06Palo Alto Networks Unit 42CRYPSIS, Drew Schmitt, Ryan Tracey
Last, but Not Least: Defray777
PyXie RansomEXX
2020-11-06Palo Alto Networks Unit 42CRYPSIS, Drew Schmitt, Ryan Tracey
When Threat Actors Fly Under the Radar: Vatet, PyXie and Defray777
PyXie RansomEXX
2020-11-06Palo Alto Networks Unit 42CRYPSIS, Drew Schmitt, Ryan Tracey
Linking Vatet, PyXie and Defray777
PyXie RansomEXX
2020-11-06Kaspersky LabsFedor Sinitsyn, Vladimir Kuskov
RansomEXX Trojan attacks Linux systems
RansomEXX RansomEXX
2020-11-05Bleeping ComputerSergiu Gatlan
Brazil's court system under massive RansomExx ransomware attack
RansomEXX
2020-06-26Github (Bleeping)Lawrence Abrams
Ransom .exx notes
RansomEXX
2020-06-26BleepingComputerLawrence Abrams
New Ransom X Ransomware used in Texas TxDOT cyberattack
RansomEXX
2020-06-17Andrew Ivanov
RansomEXX Ransomware
RansomEXX
Yara Rules
[TLP:WHITE] win_ransomexx_auto (20241030 | Detects win.ransomexx.)
rule win_ransomexx_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.ransomexx."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomexx"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 897708 8d7b50 3bfe 7439 8b4f08 3bce }
            // n = 6, score = 100
            //   897708               | mov                 dword ptr [edi + 8], esi
            //   8d7b50               | lea                 edi, [ebx + 0x50]
            //   3bfe                 | cmp                 edi, esi
            //   7439                 | je                  0x3b
            //   8b4f08               | mov                 ecx, dword ptr [edi + 8]
            //   3bce                 | cmp                 ecx, esi

        $sequence_1 = { 3bc1 744b 8d542420 52 }
            // n = 4, score = 100
            //   3bc1                 | cmp                 eax, ecx
            //   744b                 | je                  0x4d
            //   8d542420             | lea                 edx, [esp + 0x20]
            //   52                   | push                edx

        $sequence_2 = { 13542440 894838 8b4c247c 034c242c 89503c 8b942480000000 13542430 }
            // n = 7, score = 100
            //   13542440             | adc                 edx, dword ptr [esp + 0x40]
            //   894838               | mov                 dword ptr [eax + 0x38], ecx
            //   8b4c247c             | mov                 ecx, dword ptr [esp + 0x7c]
            //   034c242c             | add                 ecx, dword ptr [esp + 0x2c]
            //   89503c               | mov                 dword ptr [eax + 0x3c], edx
            //   8b942480000000       | mov                 edx, dword ptr [esp + 0x80]
            //   13542430             | adc                 edx, dword ptr [esp + 0x30]

        $sequence_3 = { 57 8d45e0 e8???????? 8bf8 83c404 3bfb 0f8506020000 }
            // n = 7, score = 100
            //   57                   | push                edi
            //   8d45e0               | lea                 eax, [ebp - 0x20]
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   83c404               | add                 esp, 4
            //   3bfb                 | cmp                 edi, ebx
            //   0f8506020000         | jne                 0x20c

        $sequence_4 = { 83c204 c6462400 8955f0 8b5dfc 8ad0 80e27f 029018b44100 }
            // n = 7, score = 100
            //   83c204               | add                 edx, 4
            //   c6462400             | mov                 byte ptr [esi + 0x24], 0
            //   8955f0               | mov                 dword ptr [ebp - 0x10], edx
            //   8b5dfc               | mov                 ebx, dword ptr [ebp - 4]
            //   8ad0                 | mov                 dl, al
            //   80e27f               | and                 dl, 0x7f
            //   029018b44100         | add                 dl, byte ptr [eax + 0x41b418]

        $sequence_5 = { c1ee03 33fe 03df 8b7dfc 039c3db8feffff 8bb43d94feffff 03f3 }
            // n = 7, score = 100
            //   c1ee03               | shr                 esi, 3
            //   33fe                 | xor                 edi, esi
            //   03df                 | add                 ebx, edi
            //   8b7dfc               | mov                 edi, dword ptr [ebp - 4]
            //   039c3db8feffff       | add                 ebx, dword ptr [ebp + edi - 0x148]
            //   8bb43d94feffff       | mov                 esi, dword ptr [ebp + edi - 0x16c]
            //   03f3                 | add                 esi, ebx

        $sequence_6 = { 33f7 8b7d08 83c004 c1e608 8955ec 8945fc c1ef08 }
            // n = 7, score = 100
            //   33f7                 | xor                 esi, edi
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   83c004               | add                 eax, 4
            //   c1e608               | shl                 esi, 8
            //   8955ec               | mov                 dword ptr [ebp - 0x14], edx
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   c1ef08               | shr                 edi, 8

        $sequence_7 = { 89442440 89442444 89442448 e8???????? 83c40c 83bc248800000000 8d842490020000 }
            // n = 7, score = 100
            //   89442440             | mov                 dword ptr [esp + 0x40], eax
            //   89442444             | mov                 dword ptr [esp + 0x44], eax
            //   89442448             | mov                 dword ptr [esp + 0x48], eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   83bc248800000000     | cmp                 dword ptr [esp + 0x88], 0
            //   8d842490020000       | lea                 eax, [esp + 0x290]

        $sequence_8 = { 83c404 85c0 7539 8b55fc 8917 5f }
            // n = 6, score = 100
            //   83c404               | add                 esp, 4
            //   85c0                 | test                eax, eax
            //   7539                 | jne                 0x3b
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   8917                 | mov                 dword ptr [edi], edx
            //   5f                   | pop                 edi

        $sequence_9 = { 8975dc 3338 8bda 897dec 8bfe c1ef10 81e7ff000000 }
            // n = 7, score = 100
            //   8975dc               | mov                 dword ptr [ebp - 0x24], esi
            //   3338                 | xor                 edi, dword ptr [eax]
            //   8bda                 | mov                 ebx, edx
            //   897dec               | mov                 dword ptr [ebp - 0x14], edi
            //   8bfe                 | mov                 edi, esi
            //   c1ef10               | shr                 edi, 0x10
            //   81e7ff000000         | and                 edi, 0xff

    condition:
        7 of them and filesize < 372736
}
Download all Yara Rules