Why are we talking about RANSOMEXX

RansomEXX targeted a supply chain unit Brontoo Technology Solutions, a key collaborator with C-EDGE, that provides solutions to the Indian Banking Ecosystem, affecting banks and payment providers.

History and Origin:

RansomEXX, initially known as Defray777, emerged in 2018. However, it gained notoriety and was It rebranded as RansomEXX in 2020 after high-profile attacks on government agencies and manufacturers. The name “RansomEXX” was derived from the string “ransom.exx” found in its binary.

Targeted Nature:

RansomEXX specifically targets victims, often with their names hardcoded in the binary. It operates as part of the financially motivated cybercriminal group Gold Dupont.

Technical Details and Upgraded Features

1. RansomEXX is written primarily in C++, a language known for its performance and system-level access capabilities.
2. RansomEXX has both Windows and Linux variants. Its Linux version, discovered in late 2020, marked the first time a major Windows ransomware variant expanded to Linux, allowing it to target core infrastructure running on Linux.

RansomEXX has undergone several upgrades to enhance its capabilities:

1. Cross-Platform Compatibility: Initially targeting Windows systems, RansomEXX has developed versions to infect Linux systems, increasing its range of potential targets.
2. Encryption Methods: The ransomware uses robust encryption algorithms, such as RSA-2048 and AES-256, to ensure files are irreversibly encrypted unless the ransom is paid.
3. Stealth Techniques: Enhanced evasion techniques, including the use of legitimate system tools and the termination of security-related processes, help RansomEXX avoid detection by traditional antivirus solutions.
4. Recent Upgrades: The operators recently rewrote RansomEXX in the Rust programming language, following a trend seen in other ransomware gangs2

Threat Operators' Region:

The operators are suspected to be from Eastern Europe, particularly Russia, based on language artifacts and operational patterns.

Targeted Countries

1. RansomEXX has a global reach, targeting countries across North America, Europe, and Asia(https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx)[1](https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx).
2. High-profile victims have included government agencies, healthcare institutions, and large corporations, demonstrating the group's ability to impact critical infrastructure and essential services.

Exploits and Initial Attack Vectors

RansomEXX operators utilize various exploits and techniques to gain initial access to victim networks:

1. Exploits: Commonly exploited vulnerabilities include unpatched systems and publicly exposed RDP (Remote Desktop Protocol) services. Known vulnerabilities in VPNs and other remote access solutions are also frequently targeted.
2. Phishing Campaigns: Phishing emails with malicious attachments or links are a common initial attack vector, tricking users into executing the ransomware payload.
3. Tools: RansomEXX employs trojanized legitimate tools, including Vatet Loader, PyXie RAT, TrickBot, and Cobalt Strike. These tools enable faster payload deployment while evading detection.

MITRE ATT&CK Framework Techniques Mapping

RansomEXX employs several tactics and techniques as outlined by the MITRE ATT&CK framework:

1. Initial Access (TA0001):

   • Phishing (T1566): Spear-phishing emails with malicious attachments or links.
   • Exploit Public-Facing Application (T1190): Exploiting vulnerabilities in internet-facing applications and services.

2. Execution (TA0002):

   • User Execution (T1204): Users inadvertently execute malicious attachments or links.

3. Persistence (TA0003):

   • Registry Run Keys / Startup Folder (T1547): Modifying registry run keys or startup folders to achieve persistence.

4. Privilege Escalation (TA0004):

   • Exploitation for Privilege Escalation (T1068): Exploiting system vulnerabilities to gain higher privileges.

5. Defense Evasion (TA0005):

   • Obfuscated Files or Information (T1027): Using obfuscation techniques to avoid detection.
   • Disabling Security Tools (T1089): Terminating or disabling security software.

6. Credential Access (TA0006):

   • Credential Dumping (T1003): Extracting credentials from memory, registry, or files.

7. Discovery (TA0007):

   • Network Service Scanning (T1046): Scanning for open ports and services on the network.

8. Lateral Movement (TA0008):

   • Remote Services (T1021): Using legitimate remote services like RDP to move laterally within the network.

9. Impact (TA0040):

   • Data Encrypted for Impact (T1486): Encrypting files to disrupt normal operations and extort ransom payments.

Countermeasures

1. Proactive Monitoring (XDR)
2. Periodic Threat Hunting
3. Red teaming with Breach simulations
4. Periodic Attack surface mapping

Conclusion 

Organizations should be vigilant against RansomEXX’s targeted attacks and prepare robust defenses to thwart its malicious activities.

Found this article interesting? Follow us on LinkedIn to read more exclusive content we post.