{
	"id": "4448ad98-d3fe-4085-8506-c9845dc4433b",
	"created_at": "2026-04-06T00:08:43.276426Z",
	"updated_at": "2026-04-10T03:21:41.58618Z",
	"deleted_at": null,
	"sha1_hash": "11f17392dd2e2783e97da517edf0f800083199dc",
	"title": "When Threat Actors Fly Under the Radar: Vatet, PyXie and Defray777",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 278153,
	"plain_text": "When Threat Actors Fly Under the Radar: Vatet, PyXie and Defray777\r\nBy Ryan Tracey, Drew Schmitt\r\nPublished: 2020-11-07 · Archived: 2026-04-05 19:45:24 UTC\r\nLast, but Not Least: Defray777\r\nDefray777 is an elusive family of ransomware also known as Ransom X and RansomExx. Although it has recently been\r\ncovered in the news as a new family, it has been in use since at least 2018 and is responsible for a number of high-profile\r\nransomware incidents -- as detailed in the articles we linked to.\r\nDefray777 runs entirely in memory, which is why there have been so few publicly discussed samples to date. In several\r\nrecent incidents, Defray777 was loaded into memory and executed by Cobalt Strike, which was delivered by the Vatet\r\nloader.\r\nDuring our research, we discovered multiple decryptors for this ransomware family, going back as early as 2018. Reviewing\r\ndecryptors from 2018 until present shows that there has been consistency in the ransomware’s encryption and decryption\r\nmethodology, as well as the use of Themida for packing their decryptors. Table 10 shows a list of Defray777 decryptors\r\ndiscovered in AutoFocus, with a list of organizations that suffered ransomware attacks. This shows that Defray777 has been\r\nconsistently active since 2018.\r\nDate Victim\r\n12/7/2018 Education Organization\r\n2/4/2019 Healthcare Organization\r\n3/1/2019 Technology Organization\r\n3/15/2019 Education Organization\r\n8/8/2019 Healthcare Organization\r\n8/25/2019 Education Organization\r\n8/28/2019 Transportation and Logistics Organization\r\n9/3/2019 Legal Organization\r\n9/6/2019 Education Organization\r\n9/26/2019 Healthcare Organization\r\n10/30/2019 Government Organization\r\n11/1/2019 Healthcare Organization\r\n2/4/2020 Technology Organization\r\n2/10/2020 Government Organization\r\n3/16/2020 Food Organization\r\n10/17/2020 Finance Organization\r\nTable 10. Defray777 ransomware attacks listed by date and victim.\r\nhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3\r\nPage 1 of 7\n\nFigure 21. Defray777 decryptor.\r\nWe have examined several recent Defray777 samples, including one sample that was obtained directly from memory during\r\na recent incident. Our in-depth analysis resulted in the findings outlined below.\r\nDecrypted Strings\r\nThe string decryption process is the same as we saw with PyXie. The following strings were decrypted from a recent\r\nDefray777 sample:\r\nAlready active [%s]\r\n+%u (%u) files done [%s] [%u KB/s]\r\nStarted (PID: %u; Workers: %u; AES-%s) [%s]\r\nComplete (+%u (%u) files done) [%s]\r\nWork time: %d:%02d:%02d\r\nUnable to get computer name\r\nCryptoGuard\r\nkernel32.dll\r\nConvertStringSecurityDescriptorToSecurityDescriptorW\r\nadvapi32.dll\r\nIsWow64Process\r\nSystemDrive\r\nKiUserExceptionDispatcher\r\nTable 11. Defray777 encrypted strings.\r\nPrioritizing Defray777 on the Impacted System\r\nWhile deep diving on a recovered Defray777 sample, we found that Defray777 exhibits the following notable characteristics\r\nregarding the prioritization of threads and processes:\r\nDuring execution, the ransomware uses SetProcessPriorityBoost to prioritize the threads of the Defray777 process.\r\nDefray777 additionally focuses on creating and prioritizing threads for encryption by calling SetThreadAffinityMask\r\nand SetThreadPriorityBoost.\r\nDefray777 uses multithreading to improve ransomware performance.\r\nhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3\r\nPage 2 of 7\n\nFigure 22. Prioritization of Defray777 threads during execution.\r\nKilling “Undesirable” Processes\r\nAs part of the execution workflow, Defray777 creates threads that will be responsible for the killing of processes that the\r\nthreat actors deem to be “undesirable.” The execution continues by getting a listing of processes using\r\nCreateToolhelp32Snapshot before iterating through all active processes (with the exception of itself) and killing all\r\n“undesirable” processes. Defray777 specifically targets process that can be opened with the desired access of\r\nSYNCHRONIZE | PROCESS_QUERY_INFORMATION | PROCESS_VM_WRITE | PROCESS_VM_READ |\r\nPROCESS_VM_OPERATION | PROCESS_CREATE_THREAD.\r\nDefray777 excludes all processes that contain the system file path in their full image path. Additionally, the ransomware will\r\nexclude the following processes from being killed during execution:\r\npowershell.exe rundll32.exe\r\nwefault.exe explorer.exe\r\nvmnat.exe\r\nTable 12. Excluded processes.\r\nStopping System Services\r\nDuring execution, Defray777 stops the following services from running:\r\nAcronis VSS Provider MSExchangeADTopology MSSQLSERVER SQLAgent$PRA\r\nAcronisAgent MSExchangeAntispamUpdate MSSQLServerADHelper SQLAgent$PR\r\nAcronixAgent MSExchangeEdgeSync MSSQLServerADHelper100 SQLAgent$PR\r\nAcrSch2Svc MSExchangeES MSSQLServerOLAPService SQLAgent$SB\r\nAntivirus MSExchangeFBA MySQL57 SQLAgent$SH\r\nARSM MSExchangeFDS MySQL80 SQLAgent$SO\r\nAVP MSExchangeIS NetMsmqActivator SQLAgent$SQ\r\nBackupExecAgentAccelerator MSExchangeMailboxAssistants nginx SQLAgent$SQ\r\nBackupExecAgentBrowser MSExchangeMailboxReplication ntrtscan SQLAgent$SY\r\nBackupExecDeviceMediaService MSExchangeMailSubmission OracleClientCache80 SQLAgent$TPS\r\nBackupExecJobEngine MSExchangeMGMT OracleServiceXE SQLAgent$TPS\r\nBackupExecManagementService MSExchangeMTA OracleXETNSListener SQLAgent$VE\r\nBackupExecRPCService MSExchangeProtectedServiceHost PDVFSService SQLAgent$VE\r\nBackupExecVSSProvider MSExchangeRepl POP3Svc SQLBrowser\r\nbedbg MSExchangeRPC ReportServer SQLsafe Backu\r\nDbxSvc MSExchangeSA ReportServer$SQL_2008 SQLsafe Filter\r\nDCAgent MSExchangeSearch ReportServer$SYSTEM_BGC SQLSafeOLRS\r\nEhttpSrv MSExchangeServiceHost ReportServer$TPS SQLSERVERA\r\nekrn MSExchangeSRS ReportServer$TPSAMA SQLTELEMET\r\nEnterprise Client Service MSExchangeThrottling RESvc SQLTELEMET\r\nEPSecurityService MSExchangeTransport sacsvr SQLWriter\r\nEPUpdateService MSExchangeTransportLogSearch SamSs SstpSvc\r\nEraserSvc11710 msftesql$PROD SAVAdminService svcGenericHos\r\nEsgShKernel MSOLAP$SQL_2008 SAVService swi_filter\r\nESHASRV MSOLAP$SYSTEM_BGC SDRSVC swi_service\r\nhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3\r\nPage 3 of 7\n\nFA_Scheduler MSOLAP$TPS SepMasterService swi_update\r\nIISAdmin MSOLAP$TPSAMA ShMonitor swi_update_64\r\nIMAP4Svc MSSQL$BKUPEXEC Smcinst Symantec Syste\r\nKAVFS MSSQL$ECWDB2 SmcService TmCCSF\r\nKAVFSGT MSSQL$PRACTICEMGT SMTPSvc tmlisten\r\nkavfsslp MSSQL$PRACTTICEBGC SNAC TrueKey\r\nklnagent MSSQL$PROD SntpService TrueKeySchedu\r\nmacmnsvc MSSQL$PROFXENGAGEMENT Sophos Agent TrueKeyServic\r\nmasvc MSSQL$SBSMONITORING Sophos AutoUpdate Service UI0Detect\r\nMBAMService MSSQL$SHAREPOINT Sophos Clean Service Veeam Backup\r\nMBEndpointAgent MSSQL$SOPHOS Sophos Device Control Service VeeamBackupS\r\nMcAfeeEngineService MSSQL$SQL_2008 Sophos File Scanner Service VeeamBrokerSv\r\nMcAfeeFramework MSSQL$SQLEXPRESS Sophos Health Service VeeamCatalogS\r\nMcAfeeFrameworkMcAfeeFramework MSSQL$SYSTEM_BGC Sophos MCS Agent VeeamCloudSv\r\nMcShield MSSQL$TPS Sophos MCS Client VeeamDeploym\r\nMcTaskManager MSSQL$TPSAMA Sophos Message Router VeeamDeployS\r\nmfefire MSSQL$VEEAMSQL2008R2 Sophos Safestore Service VeeamEnterpris\r\nmfemms MSSQL$VEEAMSQL2012 Sophos System Protection Service VeeamHvIntegr\r\nmfevtp MSSQLFDLauncher Sophos Web Control Service VeeamMountSv\r\nMMS MSSQLFDLauncher$PROFXENGAGEMENT sophossps VeeamNFSSvc\r\nMongoDB MSSQLFDLauncher$SBSMONITORING SQL Backups VeeamRESTSv\r\nmozyprobackup MSSQLFDLauncher$SHAREPOINT SQLAgent$BKUPEXEC VeeamTranspor\r\nMsDtsServer MSSQLFDLauncher$SQL_2008 SQLAgent$CITRIX_METAFRAME W3Svc\r\nMsDtsServer100 MSSQLFDLauncher$SYSTEM_BGC SQLAgent$CXDB wbengine\r\nMsDtsServer110 MSSQLFDLauncher$TPS SQLAgent$ECWDB2 WRSVC\r\nMSExchangeAB MSSQLFDLauncher$TPSAMA SQLAgent$PRACTTICEBGC Zoolz 2 Service\r\nTable 13. Services stopped by Defray777.\r\nFile Encryption\r\nBased on a recent Defray777 sample recovered from memory, the ransomware will get a listing of all logical drives on the\r\nsystem using a call to GetLogicalDriveStringsW before iterating through each drive to encrypt files using the following\r\nprocess:\r\nTo begin, Defray777 checks for whether the processor feature PF_XMMI64_INSTRUCTIONS_AVAILABLE is\r\npresent on the impacted system.\r\nIf enabled, Defray777 knows that SSE2 is supported and more complex mathematical operations are possible.\r\nDefray777 will also determine if the processor is capable of using AES-NI for improved encryption performance.\r\nAs encryption begins, a ransom note will be created in each directory where files will be encrypted.\r\nThe name of the ransom note will vary. However, from our research, the ransom notes most commonly\r\ncontain a combination of exclamation points, the string “README,” and a reference to the victim name.\r\nExample: !!!_IMPACTED_Client_README_!!!.txt\r\nThe file contents will be encrypted using an on-the-fly generated AES key that gets encrypted with RSA-4096 and\r\nstored in the file footer in a 512-byte block.\r\nThe encrypted file will be renamed by appending an extension that consists of a unique victim identifier and a\r\nrandomized eight-digit hexadecimal number.\r\nExample: .v1ct1m-1bc461ac\r\nhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3\r\nPage 4 of 7\n\nFigure 23. Recent example of a Defray777 ransom note.\r\nSpecifically, the encryption mechanism consists of the following steps:\r\nDynamically generate a 32-byte AES key.\r\nEncrypt the file with AES-256 in ECB mode using 16-byte blocks.\r\nEncrypt the AES key with RSA-4096 and append the 0x200 byte cipher text to the end of the encrypted file.\r\nEncryption Exclusions\r\nDuring the encryption process, Defray777 aims to encrypt as many files as possible without impacting the system’s core\r\nfunctionality. To accomplish this, Defray777 uses a set of excluded folders, files and file extensions that will not be\r\nencrypted during execution.\r\nExcluded Folders:\r\n\\windows\\system32\\ \\windows\\syswow64\\ \\windows\\system\\\r\n\\windows\\winsxs\\ \\appdata\\roaming\\ \\appdata\\local\\\r\n\\appdata\\locallow\\ \\all users\\microsoft\\ \\inetpub\\logs\\\r\n:\\boot\\ :\\perflogs\\ :\\programdata\\\r\n:\\drivers\\ :\\wsus\\ :\\efstmpwp\\\r\n:\\$recycle.bin\\ :\\EFSTMPWP\\ crypt_detect\r\ncryptolocker ransomware\r\nTable 14. Folders excluded from encryption by Defray777.\r\nExcluded files:\r\niconcache.db thumbs.db ransomware ransom\r\ndebug.txt boot.ini desktop.ini autorun.inf\r\nntuser.dat ntldr ntdetect.com bootfont.bin\r\nbootsect.bak\r\nTable 15. Files excluded from encryption by Defray777.\r\nIt is also important to note that Defray777 adds the name of the ransom note into the excluded files list.\r\nExcluded extensions:\r\n.ani .cab .cpl .cur .diagcab\r\n.diagpkg .dll .drv .hlp .icl\r\n.icns .ico .iso .ics .lnk\r\n.idx .mod .mpa .msc .msp\r\n.msstyles .msu .nomedia .ocx .prf\r\n.rtp .scr .shs .spl .sys\r\n.theme .themepack .exe .bat .cmd\r\n.url .mui\r\nhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3\r\nPage 5 of 7\n\nTable 16. Extensions excluded from encryption by Defray777.\r\nSearching for Unmapped File Shares\r\nDuring execution, Defray777 uses WNetOpenEnumW and WNetEnumResourceW to search for file shares that may contain\r\nfiles that could be encrypted. This tactic has been seen amongst other ransomware variants in the wild to encrypt files that\r\nare accessible via unmapped file shares.\r\nFigure 24. Defray777 enumerating network resources.\r\nAnti-Forensic Measures\r\nAfter all files are encrypted on the system, Defray777, like many other ransomware variants, implements common anti-forensics measures to remove as much evidence of the intrusion as possible and make it extremely difficult for the system to\r\nbe recovered without a backup. Although these commands are common amongst other ransomware variants, Defray777 runs\r\ncommands post-encryption, which means that when security tools alert or take action against Defray777, the files have\r\nalready been encrypted.\r\nCommands executed by Defray777:\r\ncipher.exe /w:[DRIVE]\r\nfsutil.exe usn deletejournal /D [DRIVE]\r\nwbadmin.exe delete catalog -quiet\r\nbcdedit.exe /set {default} recoveryenabled no\r\nbcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\r\nschtasks.exe /Change /TN \"\\Microsoft\\Windows\\SystemRestore\\SR\" /disable\r\nwevtutil.exe cl Application\r\nwevtutil.exe cl System\r\nwevtutil.exe cl Setup\r\nwevtutil.exe cl Security\r\nwevtutil.exe sl Security /e:false\r\nTable 17. Anti-forensic commands executed by Defray777.\r\nRegistry keys modified:\r\n\\Software\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\DisableConfig\r\n\\Software\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\DisableSR\r\n\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore\\DisableSR\r\n\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore\\DisableConfig\r\nTable 18. Registry Keys Modified by Defray777.\r\nDefray777’s Port to Linux\r\nDuring the course of our research, we found that Defray777 ransomware has been ported over to Linux. Before Defray777,\r\nransomware that impacted both Windows and Linux operating systems was limited to being written in Java or scripting\r\nhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3\r\nPage 6 of 7\n\nlanguages such as Python. These ransomware variants would be considered cross-functional since they were written in a\r\nsingle language that must be installed and supported by both operating systems. Defray777’s port to Linux ensures that the\r\nransomware has standalone executables for each platform with no external dependencies.\r\nA ZIP archive was uploaded to a public malware repository on Oct. 17, 2020 that contained a Windows executable that was\r\nidentified as a Defray777 decryptor. Additionally included in this ZIP archive was an ELF binary named decryptor64.\r\nAnalysis of this binary determined it to be another Defray777 decryptor that had been ported to Linux.\r\nArmed with the idea that there may be Linux versions of Defray777 in the wild, we began hunting in AutoFocus and quickly\r\nuncovered an ELF version of the ransomware encryptor.\r\nReviewing this sample further indicated that it was uploaded in August 2020. As of early October 2020, there appear to be\r\nzero detections by antivirus (AV) in VirusTotal for the Linux version of Defray777.\r\nA deeper review of the Linux and Windows variants of Defray777 determined that the encryption and decryption processes\r\nused were nearly identical. In fact, by generating our own RSA key pair and modifying the binaries, we were able to confirm\r\nthat the encryptors and decryptors for both operating systems were interchangeable.\r\nUnlike the Windows versions, the developers didn’t seem to put any effort into protecting the Linux samples. To our\r\nsurprise, the binaries we analyzed still had their symbols intact, which made reversing them quite a bit easier.\r\nFigure 25. Named functions listing from ELF version of Defray777.\r\nOne of the biggest differences between the Windows and Linux variants is the logic that determines which files to encrypt.\r\nThe Windows version will recurse the file system and encrypt anything that isn’t explicitly excluded. In contrast, the Linux\r\nvariant will only encrypt directories specified in a command line argument.\r\nContinue reading: Linking Vatet, PyXie and Defray777\r\nSource: https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3\r\nhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3"
	],
	"report_names": [
		"3"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434123,
	"ts_updated_at": 1775791301,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/11f17392dd2e2783e97da517edf0f800083199dc.pdf",
		"text": "https://archive.orkl.eu/11f17392dd2e2783e97da517edf0f800083199dc.txt",
		"img": "https://archive.orkl.eu/11f17392dd2e2783e97da517edf0f800083199dc.jpg"
	}
}