# Expanding Range and Improving Speed: A RansomExx Approach **[trendmicro.com/en_us/research/21/a/expanding-range-and-improving-speed-a-ransomexx-approach.html](https://www.trendmicro.com/en_us/research/21/a/expanding-range-and-improving-speed-a-ransomexx-approach.html)** January 6, 2021 Ransomware RansomExx is a ransomware variant responsible for several high-profile attacks in 2020. We take a look at its current techniques which include the use of trojanized software to deliver malicious payloads and an overall short and fast attack. By: Leandro Froes January 06, 2021 Read time: ( words) [RansomExx, a ransomware variant responsible for several high-profile attacks in 2020, has shown signs of](https://www.trendmicro.com/vinfo/tmr/?/us/security/definition/ransomware) further development and unhampered activity. The most recently reported development involves the use of [newer variants adapted for Linux servers that effectively expanded its range to more than Windows servers.](https://www.forbes.com/sites/daveywinder/2020/11/08/new-ransomware-threat-jumps-from-windows-to-linux-what-you-need-to-know/) Own monitoring efforts found RansomExx compromising companies in the United States, Canada, and Brazil, as well as the sustained activity of the Linux variant. This entry details our analysis of a RansomExx campaign that used [IcedID as its initial access vector, Vatet loader as its payload delivery method, and both Pyxie and](https://www.trendmicro.com/vinfo/tmr/?/es/security/news/cybercrime-and-digital-threats/icedid-banking-trojan-targets-us-financial-institutions) Cobalt Strike as post-intrusion tools. This combination of tools took only five hours to deploy the ransomware from its initial access. [RansomExx used to be operated by a threat group, which SecureWorks named GOLD DUPONT, that has](https://www.secureworks.com/research/threat-profiles/gold-dupont) been active since 2018. Based on its most recent attacks, the threat group showed a fast and effective approach to compromising an environment. Malware like Vatet loader, PyXie, Trickbot, and RansomExx, as well as some post-intrusion tools like Cobalt Strike, are typically part of this threat group’s arsenal. This malware is worth looking into as it demonstrates effective techniques frequently observed in ransomware attacks in 2020. These methods include the use of trojanized software to deliver malicious payloads and an overall short and fast attack. **The Investigation** ----- The incident we observed was first flagged as a phishing email with an attached password-protected ZIP file, [which is actually a Word document (detected as Trojan.W97M.SHATHAK.A) with a malicious macro. It shows](https://www.trendmicro.com/vinfo/tmr/?/us/threat-encyclopedia/malware/Trojan.W97M.SHATHAK.A) a message that lures users into enabling macro content: Figure 1. Malicious Word document content By allowing the macro inside the document, it will attempt to download the IcedID trojan (detected as [TrojanSpy.Win32.ICEDID.BP) from a malicious URL. If the download succeeds, the trojan is executed using](https://www.trendmicro.com/vinfo/tmr/?/us/threat-encyclopedia/malware/TrojanSpy.Win32.ICEDID.BP) regsvr32.exe. Figure 2. Code snippet of the macro As a common IcedID approach it used steganography as a method to deliver the payload through a .png file downloaded from a malicious URL. The file is decrypted, and the payload is injected into memory. For persistence, IcedID creates a scheduled task to run hourly, in which it again uses regsvr32.exe to run its malicious DLL: Figure 3. Malicious scheduled task initializing On this incident we observed msiexec.exe being used to inject and deploy the final IcedID payload. With the final payload in place, the attacker was able to load and execute the Cobalt Strike payload, allowing it to communicate with the command and control (C&C) server: ----- Figure 4. Telemetry data of the point-of-entry machine connecting to the C&C Server After establishing a connection to the malicious server, the threat actor started to collect machine information and move laterally. In this entry, we don’t have evidence to show all the approaches the malware used to move laterally, except for one that was through SMB. Figure 5. Some of the information gathered by the attacker from the point of entry machine The artifact used to deliver the other components executed in the environment was a trojanized version of [Notepad++ — Vatet loader (detected as Trojan.Win32.VATET.SM). As described in our previous blog post,](https://www.trendmicro.com/vinfo/tmr/?/us/threat-encyclopedia/malware/Trojan.Win32.VATET.SM) Vatet loader decrypts a file (in our analysis referred to as config.dat) using an XOR-based method. After the XOR operation, it allocates memory, injects the config.dat decrypted code into its own memory, and then executes the payload: ----- Figure 6. Code snippet of Vatet loader routine Vatet loader loads any payload as long as it follows the correct XOR operation based on the file path of config.dat. We identified a different config.dat file being used for different purposes, like information gathering through Pyxie, Lazagne and Mimikatz as well as RansomExx itself for its last attack phase. One key observation was that the config.dat used for information gathering contained an internal IP in the configuration of its payload, specifically in the part pertaining to the address of the server being used to send the gathered information. We have evidence showing that this internal IP was used as an exfiltration point and communicated to the C&C server mentioned earlier. This behavior leads us to think that the entire attack was indeed very fast, with some of the components created in the time of the incident. **Usage of the Linux variant** Correlating the described incident to more recent attacks involving RansomExx, we observed the use of a new Linux variant of RansomExx to compromise Linux servers. We have no information on how the malware was sent to the Linux server, but we observed it aiming for the VMware environment in general, especially machines that serve as storage for the VMware files. We have found three variants of RansomExx for Linux using Trend Micro [Telfhash, and all three samples shared the same behavior. The sample we analyzed from](https://www.trendmicro.com/en/research/20/d/grouping-linux-iot-malware-samples-with-trend-micro-elf-hash.html) these three is a 64-bit ELF executable with all of the cryptographic schemes from an open-source library called mbedtls. The sample is multi-thread and goes straight to encryption. It has no network activities, no anti-analysis techniques, or other activities outside its main agenda. The sample also has some available debug information allowing us to check characteristics like the function names and source code file names: ----- Figure 7. Examples of RansomExx debug information Upon execution, the sample starts calling a function referred to as GeneratePreData, which is responsible for the creation of a 256-bit AES key using both pseudo-random values from native Linux functions and also mbedtls operations. The AES key is encrypted using a hardcoded RSA-4096 public key, with the result written in a global variable. The content of that global variable is going to be appended to each file for future encryption using AES in ECB mode: ----- Figure 8. Hardcoded RSA public key The GeneratePreData function runs in a thread created by the malware on an infinite loop, attempting to generate encryption keys every 0.18 seconds. The thread will continue to run until the end of the malware execution. Figure 9. Code snippet of the Ransomware main function ----- Figure 10. Code snippet of the AES encryption The malware only runs if the user specifies a directory as a command line parameter. The encryption preparation starts in a function referred to as list_dir. The first action performed by the list_dir function makes sure that the argument passed through the command line is a directory. If the check succeeds, the function responsible for the creation of the ransom note is called. If the other files inside the same directory are also directories, then the list_dir function is called again. For regular files, the malware attempts to check if the file has the occurrence of the ransomware extension string to determine if it needs to be encrypted. For every file found inside the directories, the malware adds a task to encrypt the file: ----- Figure 11. Code snippet showing the list_dir() function Figure 12. Code snippet of the ransom note creation function **Security recommendations** Threat actors constantly improve their arsenal and approaches to be more effective. The use of memorybased techniques, legitimate Windows tools, and well-known post-intrusion tools preceding the deployment of the main payload seems to result in a higher chance of success for ransomware operators. For users, preventing attacks from the outset is key to impeding the chance of successful ransomware attacks. The speed and agility that this campaign banked on will not matter in the future if initial access is denied from the start. Learning from this campaign, users should only download files from trusted and legitimate sources to prevent the entry of malicious files into their system. Users should avoid enabling macros, and should be wary of documents that prompt them to do so. ----- In general, more robust security measures can prevent ransomware and other threats from having a strong impact on systems. These include employing least privilege standards and ensuring that systems are up-todate. If legacy systems cannot be avoided, solutions that allow virtual patching can help ensure that legacy systems are nonetheless protected. **Trend Micro Solutions** [Trend Micro Cloud One™– Workload Security has a virtual patching feature that can protect the system](https://www.trendmicro.com/en_us/business/products/hybrid-cloud/cloud-one-workload-security.html) against exploits. Since some of the malware’s techniques can bypass signature-based security agents, technologies like Trend Micro Behavior Monitoring and Machine Learning can be used to prevent and block those threats. [Enterprises can also take advantage of Trend Micro XDRTM, which collects and correlates data across](https://www.trendmicro.com/en_us/business/products/detection-response/xdr.html) endpoints, emails, cloud workloads, and networks, providing better context and enabling investigation in one place. This, in turn, allows teams to respond to similar threats faster and detect advanced and targeted threats earlier. **Indicators of Compromise** **Trend Micro Detection** **Name** **SHA256** **[Ransom.Linux.EXX.YAAK-A](https://www.trendmicro.com/vinfo/%20tmr/?/us/threat-encyclopedia/malware/Ransom.Linux.EXX.YAAK-A)** **[Ransom.Linux.EXX.YAAK-B](https://www.trendmicro.com/vinfo/tmr/?/us/threat-encyclopedia/malware/Ransom.Linux.EXX.YAAK-B)** **[Ransom.Linux.EXX.YAAK-B](https://www.trendmicro.com/vinfo/tmr/?/us/threat-encyclopedia/malware/Ransom.Linux.EXX.YAAK-B)** **[Trojan.W97M.SHATHAK.A](https://www.trendmicro.com/vinfo/tmr/?/us/threat-encyclopedia/malware/Trojan.W97M.SHATHAK.A)** **[TrojanSpy.Win32.ICEDID.BP](https://www.trendmicro.com/vinfo/tmr/?/us/threat-encyclopedia/malware/TrojanSpy.Win32.ICEDID.BP)** **[TrojanSpy.Win32.ICEDID.BP](https://www.trendmicro.com/vinfo/tmr/?/us/threat-encyclopedia/malware/TrojanSpy.Win32.ICEDID.BP)** **[TrojanSpy.Win32.ICEDID.BP](https://www.trendmicro.com/vinfo/tmr/?/us/threat-encyclopedia/malware/TrojanSpy.Win32.ICEDID.BP)** cb408d45762a628872fa782109e8fcfc3a5bf456074b007de21e9331bb3c5849 08113ca015468d6c29af4e4e4754c003dacc194ce4a254e15f38060854f18867 78147d3be7dc8cf7f631de59ab7797679aba167f82655bcae2c1b70f1fafc13d 6fb5af0a4381411ff1d9c9041583069b83a0e94ff454cba6fba60e9cd8c6e648 3c5af2d1412d47be0eda681eebf808155a37f4911f2f2925c4adc5c5824dea98 87e732bdc3a1ed19904985cfc20da6f26fa8c200ec3b2806c0abc7287e1cdab7 884fe75824ad10d800fd85d46b54c8e45c4735db524c247018743eb471190633 -----