Ransomware profile: RansomExx

RansomExx is a human-operated ransomware that prevents users from accessing infected systems and threatens to publish stolen data unless a ransom is paid. It has been involved in a number of attacks on major corporations and government agencies since it was first observed in 2018. RansomExx is notable for being one of the few ransomware groups that targets both Windows and Linux environments.  

What is RansomExx? 

RansomExx, sometimes referred to as Defray777 and Ransom X, is a ransomware variant that encrypts files and demands a large sum of cryptocurrency for their decryption.  

As with many other contemporary ransomware families, RansomExx incidents typically involve a data theft component. Prior to encryption, data on compromised systems is exfiltrated to attacker-controlled servers and used as additional leverage to coerce victims into paying the ransom. Failure to pay the ransom results in the stolen data being published on RansomExx’s leak site.  

The history of RansomExx 

RansomExx first emerged in 2018 under the name “Defray”. The group remained relatively unknown for the first few years before shooting to infamy in mid-2020 following a spate of attacks on high-profile organizations, including the Texas Department of Transportation. Around this time, the ransomware operation was rebranded as RansomExx.  

RansomExx initially targeted only Windows systems. However, in July 2020, a new Linux variant of RansomExx was observed. Despite sharing many similarities with the original Windows variant, the Linux variant was not as sophisticated as its predecessor; it lacked command and control communication, anti-analysis techniques and the ability to terminate running processes (e.g. security software).  

In December 2020, RansomExx launched a dark web leak site where the group publishes the stolen data of victims who refuse to pay the ransom.  

Since RansomExx was first discovered, there have been 346 submissions to ID Ransomware, an online tool that helps the victims of ransomware identify which ransomware has encrypted their files. We estimate that only 25 percent of victims make a submission to ID Ransomware, which means there may have been a total of 1,384 RansomExx incidents since the ransomware’s inception.

RansomExx ransom note  

After the encryption process is complete, RansomExx drops a ransom note called in all infected directories. The note states that the victim’s files have been encrypted and provides instructions on how to communicate with the attackers. The note also offers to decrypt one encrypted file for free to prove the legitimacy of the attacker-provided decryptor.  

Below is a sample RansomExx ransom note:

Greetings, [Victim company]! 

  

Read this message CAREFULLY and contact someone from IT department. 

Your files are securely ENCRYPTED. 

No third party decryption software EXISTS. 

MODIFICATION or RENAMING encrypted files may cause decryption failure. 

  

You can send us an encrypted file (not greater than 400KB) and we will decrypt it FOR FREE, 

so you have no doubts in possibility to restore all files from all affected systems ANY TIME. 

Encrypted file SHOULD NOT contain sensitive information (technical, backups, databases, large documents). 

The rest of data will be available after the PAYMENT. 

Infrastructure rebuild will cost you MUCH more. 

 

Contact us ONLY if you officially represent the whole affected network. 

The ONLY attachments we accept are non archived encrypted files for test decryption. 

Speak ENGLISH when contacting us. 

  

Mail us: [REDACTED]@protonmail.com 

We kindly ask you not to use GMAIL, YAHOO or LIVE to contact us. 

The PRICE depends on how quickly you do it. 

Who does RansomExx target? 

RansomExx targets large organizations with the resources and motivation to pay large ransom demands, including enterprises and government agencies. RansomExx is one of a handful of ransomware strains that targets Linux-based systems as well as Windows systems. RansomExx is a global concern and has impacted organizations in North America, South America, Asia, Europe and Oceania.  

How does RansomExx spread? 

RansomExx attacks begin by breaching the target system, usually via compromised remote desktop protocol, phishing campaigns, exploiting known vulnerabilities or stolen credentials. After compromising the system, attackers will move laterally through the network, using a variety of post-compromise tools such as Pyxie, Cobalt Strike and Vatet to gain a stronger foothold. Data is exfiltrated to attacker-controlled servers before the ransomware executable is deployed. 

RansomExx is usually delivered as fileless malware. It is reflectively loaded and executed in memory without ever touching the hard drive, which can make it harder for security solutions to detect. Encrypted files are appended with a unique extension based on the name of the impacted organization.  

As RansomExx attacks are manually operated and highly targeted, the exact anatomy of an attack can vary from incident to incident.  

Major RansomExx attacks 

• Texas Department of Transportation: In May 2020, the Texas Department of Transportation was hit with RansomExx, disrupting several services and the agency’s website. In a statement, the agency announced that immediate action had been taken to isolate the incident and that the FBI was investigating the matter.  
• Konica Minolta: In July 2020, a RansomExx infection resulted in almost a week of service disruption at Konica Minolta, a Japanese technology manufacturing company with more than 40,000 employees. During this period, customers were unable to access the company’s support site and some Konica Minolta printers displayed a “Service Notification Failed” error.  
• Embraer: Embraer, one of the world’s largest airplane manufacturers, fell victim to a RansomExx attack in November 2020. Embraer refused to negotiate with the threat actors, which resulted in hundreds of megabytes of stolen data being released on RansomExx’s leak site, including employee information, business contacts, photos of flight simulations and source code.  
• Gigabyte: In August 2021, Taiwanese computer hardware manufacturer Gigabyte suffered a RansomExx attack. Some parts of the Gigabyte website went down during the incident, but the company’s production systems were reportedly unaffected. Attackers threatened to publish 112 GB of stolen data unless the company agreed to their ransom demands.  

How to protect the network from RansomExx and other ransomware   

The following practices may help organizations reduce the risk of a RansomExx incident.

• Cybersecurity awareness training: Because the majority of ransomware spreads through user-initiated actions, organizations should implement training initiatives that focus on teaching end users the fundamentals of cybersecurity. Ransomware and propagation methods are constantly evolving, so training must be an ongoing process to ensure end users are across current threats.   
• Credential hygiene: Practicing good credential hygiene can help prevent brute force attacks, mitigate the effects of credential theft and reduce the risk of unauthorized network access.   
• Multi-factor authentication: MFA provides an extra layer of security that can help prevent unauthorized access to accounts, tools, systems and data repositories. Organizations should consider enabling MFA wherever possible.      
• Security patches: Organizations of all sizes should have a robust patch management strategy that ensures security updates on all endpoints, servers, and appliances are applied as soon as possible to minimize the window of opportunity for an attack.      
• Backups: Backups are one of the most effective ways of mitigating the effects of a ransomware incident. Many strains of ransomware can spread laterally across the network and encrypt locally stored backups, so organizations should use a mixture of media storage, and store backup copies both on- and off-site. See this guide for more information on creating ransomware-proof backups.   
• System hardening: Hardening networks, servers, operating systems and applications is crucial for reducing attack surface and managing potential security vulnerabilities. Disabling unneeded and potentially exploitable services such as PowerShell, RDP, Windows Script Host, Microsoft Office macros, etc. reduces the risk of initial infection, while implementing the principle of least privilege can help prevent lateral movement.   
• Block macros: Many ransomware families are delivered via macro-embedded Microsoft Office or PDF documents. Organizations should review their use of macros, consider blocking all macros from the Internet, and only allow vetted and approved macros to execute from trusted locations.     
• Email authentication: Organizations can use a variety of email authentication techniques such as Sender Policy Framework, DomainKeys Identified Mail, and Domain-Based Message Authentication, Reporting and Conformance to detect email spoofing and identify suspicious messages.     
• Network segregation: Effective network segregation helps contain incidents, prevents the spread of malware and reduces disruption to the wider business.    
• Network monitoring: Organizations of all sizes must have systems in place to monitor possible data exfiltration channels and respond immediately to suspicious activity.   
• Penetration testing: Penetration testing can be useful for revealing vulnerabilities in IT infrastructure and employees’ susceptibility to ransomware. Results of the test can be used to allocate IT resources and inform future cybersecurity decisions.     
• Incident response plan: Organizations should have a comprehensive incident response plan in place that details exactly what to do in the event of infection. A swift response can help prevent malware from spreading, minimize disruption and ensure the incident is remediated as efficiently as possible.     

How to remove RansomExx and other ransomware     

RansomExx uses encryption methods that currently make it impossible to decrypt data without paying for an attacker-supplied decryption tool. 

Victims of RansomExx should be prepared to restore their systems from backups, using processes that should be defined in the organization’s incident response plan. The following actions are recommended:

• Take action to contain the threat.     
• Determine the extent of the infection.     
• Identify the source of the infection.      
• Collect evidence.     
• Restore the system from backups.     
• Ensure all devices on the network are clean.      
• Perform a comprehensive forensic analysis to determine the attack vector, the scope of the incident and the extent of data exfiltration.     
• Identify and strengthen vulnerabilities to reduce the risk of a repeat incident.