{
	"id": "832b1023-1d1d-43bb-9466-861d784f6679",
	"created_at": "2026-04-06T00:19:05.084103Z",
	"updated_at": "2026-04-10T13:11:38.18648Z",
	"deleted_at": null,
	"sha1_hash": "594f08f4d2e8a7057b4a7696cbe5823a2fbe2d40",
	"title": "RansomEXX",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 442753,
	"plain_text": "RansomEXX\r\nArchived: 2026-04-05 19:38:54 UTC\r\nRansomEXX Ransomware: In-Depth Analysis, Detection, and Mitigation\r\nWhat is RansomEXX Ransomware?\r\nRansomEXX (aka Defray, Defray777), a multi-pronged extortion threat, has been observed in the wild since late\r\n2020. RansomEXX is associated with attacks against the Texas Department of Transportation, Groupe Atlantic,\r\nand several other large enterprises. There are Windows and Linux variants of this malware family, and they are\r\nknown for their limited and exclusive targeting.\r\nWhat Does RansomEXX Ransomware Target?\r\nRansomEXX ransomware is known to target large enterprises and high-value targets. They have also been known\r\nto focus on those in the government and healthcare sectors as well as high-value manufacturing entities.\r\nHow Does RansomEXX Ransomware Work?\r\nRansomEXX ransomware targets its victims through phishing and spear phishing emails. They are also known to\r\nleverage exposed and vulnerable applications and services such as remote desktop protocol (RDP) and third-party\r\nframeworks (e.g., Vatet Loader, Metasploit, Cobalt Strike).\r\nRansomEXX Ransomware Technical Details\r\nhttps://www.sentinelone.com/anthology/ransomexx/\r\nPage 1 of 5\n\nSpecific victim details are often hardcoded into the malware samples, adding a ‘personal touch’ to the ransom\r\nnotes and peripheral artifacts. Victim files (local) are encrypted via AES (ECB Mode). The key itself is embedded\r\ninto the payloads and is encrypted via RSA-4096. Operators have also been known to rely on additional,\r\nmalicious, tools including PyXie RAT, Trickbot, and Vatet Loader.\r\nHow to Detect RansomEXX Ransomware\r\nThe SentinelOne Singularity XDR Platform detects and prevents malicious behaviors and artifacts associated with\r\nRansomEXX ransomware.\r\nIf you do not have SentinelOne deployed, here are a few ways you can identify RansomEXX ransomware in your\r\nnetwork:\r\nSecurity Tools\r\nUse anti-malware software or other security tools capable of detecting and blocking known ransomware variants.\r\nThese tools may use signatures, heuristics, or machine learning algorithms, to identify and block suspicious files\r\nor activities.\r\nNetwork Traffic\r\nMonitor network traffic and look for indicators of compromise, such as unusual network traffic patterns or\r\ncommunication with known command-and-control servers.\r\nSecurity Audits\r\nConduct regular security audits and assessments to identify network and system vulnerabilities and ensure that all\r\nsecurity controls are in place and functioning properly.\r\nEducation \u0026 Training\r\nhttps://www.sentinelone.com/anthology/ransomexx/\r\nPage 2 of 5\n\nEducate and train employees on cybersecurity best practices, including identifying and reporting suspicious emails\r\nor other threats.\r\nBackup \u0026 Recovery Plan\r\nImplement a robust backup and recovery plan to ensure that the organization has a copy of its data and can restore\r\nit in case of an attack.\r\nHow to Mitigate RansomEXX Ransomware\r\nSentinelOne Singularity XDR Platform prevents RansomEXX ransomware infections. In case of an infection, the\r\nSentinelOne Singularity XDR Platform detects and prevents malicious behaviors and artifacts associated with\r\nRansomEXX ransomware.\r\nSentinelOne customers are protected from RansomEXX ransomware without any need to update or take action. In\r\ncases where the policy was set to Detect Only and a device became infected, remove the infection by using\r\nSentinelOne’s unique rollback capability. As the accompanying video shows,  the rollback will revert any\r\nmalicious impact on the device and restore encrypted files to their original state.\r\nIn case you do not have SentinelOne deployed, there are several steps that organizations can take to mitigate the\r\nrisk of RansomEXX ransomware attacks:\r\nEducate employees\r\nEmployees should be educated on the risks of ransomware, and how to identify and avoid phishing emails,\r\nmalicious attachments, and other threats. They should be encouraged to report suspicious emails or attachments,\r\nand to avoid opening them, or clicking on links or buttons in them.\r\nImplement strong passwords\r\nOrganizations should implement strong, unique passwords for all user accounts, and should regularly update and\r\nrotate these passwords. Passwords should be at least 8 characters long and should include a combination of\r\nuppercase and lowercase letters, numbers, and special characters.\r\nEnable multi-factor authentication\r\nOrganizations should enable multi-factor authentication (MFA) for all user accounts, to provide an additional layer\r\nof security. This can be done through the use of mobile apps, such as Google Authenticator or Microsoft\r\nAuthenticator, or the use of physical tokens or smart cards.\r\nUpdate and patch systems\r\nOrganizations should regularly update and patch their systems, to fix any known vulnerabilities, and to prevent\r\nattackers from exploiting them. This includes updating the operating system, applications, and firmware on all\r\ndevices, as well as disabling any unnecessary or unused services or protocols.\r\nhttps://www.sentinelone.com/anthology/ransomexx/\r\nPage 3 of 5\n\nImplement backup and disaster recovery\r\nOrganizations should implement regular backup and disaster recovery (BDR) processes, to ensure that they can\r\nrecover from ransomware attacks or other disasters. This includes creating regular backups of all data and systems\r\nand storing these backups in a secure, offsite location. The backups should be tested regularly to ensure that they\r\nare working and that they can be restored quickly and easily.\r\nRansomEXX Ransomware FAQs\r\nWhat is RansomEXX Ransomware?\r\nRansomEXX is a notorious ransomware strain that launches cyberattacks around the world. The ransomware\r\nstrain can steal credit card and bank account details and compromise customers’ databases. It can also breach\r\nsystems by using malicious code across gateways and exploiting hardware component vulnerabilities.\r\nWho is behind RansomEXX Ransomware?\r\nIt is said that the founding members of the Ransom EXX gang are behind the RansomEXX ransomware. But some\r\nspeculations and rumors say nobody knows who created it. Some security experts believe it’s linked to a\r\nprofessional cybercriminal group. These hackers stay hidden by using encrypted communication channels and\r\ndemanding ransom payments in cryptocurrency.\r\nHow does RansomEXX Ransomware spread?\r\nMany unpatched devices, privileged access permissions, and payload executables can be exploited. The hacker\r\ngroup can also mine data and lurk in networks. Ransom EXX spreads as a multi-stage human-operated targeted\r\nattack. After the initial compromise affects the targeted network, it’s delivered as a secondary payload.\r\nWhich operating systems are targeted by RansomEXX Ransomware?\r\nIt can turn off multiple security products across infected machines but mainly attacks Windows systems. Linux\r\nsystems are also impacted, and this strain can also take the form of file-less ransomware, which makes it difficult\r\nto detect.\r\nIs RansomEXX Ransomware still active in 2025?\r\nYes. As of 2025, RansomEXX is still active and evolving. Hackers are updating it to avoid security defenses, and\r\nit is still a lingering threat. Security experts caution that it still targets businesses, government networks, and\r\ncritical infrastructure.\r\nWhat types of files does RansomEXX Ransomware encrypt?\r\nRansomEXX encrypts all kinds of files, from documents and spreadsheets to images and videos. It encrypts\r\nanything that could be worth money, prompting victims to pay. It encrypts individual files, entire databases, and\r\nserver files, rendering recovery more complex.\r\nhttps://www.sentinelone.com/anthology/ransomexx/\r\nPage 4 of 5\n\nWhat encryption algorithms does RansomEXX Ransomware use?\r\nRansomEXX typically uses AES and RSA encryption. AES encrypts files, and RSA encrypts the decryption key\r\nso that, in effect, it is impossible to decrypt files unless you pay the attackers. You can prepare for this by keeping\r\nbackups securely offline, and even if RansomEXX does encrypt your files, you will at least have a way to restore\r\nthem without paying a ransom.\r\nWhat security best practices help prevent RansomEXX Ransomware infections?\r\nWatch out for emails—phishing is among the primary methods ransomware propagates. Update your system so\r\nhackers cannot exploit outdated security loopholes. Lock down accounts using multi-factor authentication. Back\r\nup data offline where ransomware cannot access it. You can also install security software that watches for\r\nsuspicious activity, which can detect and halt attacks before they cause much harm.\r\nCan endpoint detection and response (EDR) solutions stop RansomEXX Ransomware?\r\nYes. Endpoint protection solutions like SentinelOne Singularity XDR Platform can identify and stop any\r\nmalicious activities and items related to RansomEXX ransomware.\r\nSource: https://www.sentinelone.com/anthology/ransomexx/\r\nhttps://www.sentinelone.com/anthology/ransomexx/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.sentinelone.com/anthology/ransomexx/"
	],
	"report_names": [
		"ransomexx"
	],
	"threat_actors": [
		{
			"id": "dcba8e2b-93e0-4d6e-a15f-5c44faebc3b1",
			"created_at": "2022-10-25T16:07:23.816991Z",
			"updated_at": "2026-04-10T02:00:04.758143Z",
			"deleted_at": null,
			"main_name": "Lurk",
			"aliases": [],
			"source_name": "ETDA:Lurk",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434745,
	"ts_updated_at": 1775826698,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/594f08f4d2e8a7057b4a7696cbe5823a2fbe2d40.pdf",
		"text": "https://archive.orkl.eu/594f08f4d2e8a7057b4a7696cbe5823a2fbe2d40.txt",
		"img": "https://archive.orkl.eu/594f08f4d2e8a7057b4a7696cbe5823a2fbe2d40.jpg"
	}
}