{
	"id": "7995c33e-5f0a-4572-9573-4217c07c8eab",
	"created_at": "2026-04-06T00:15:45.511579Z",
	"updated_at": "2026-04-10T03:21:32.679715Z",
	"deleted_at": null,
	"sha1_hash": "720d10add17f7115553d04b017553f60395b6054",
	"title": "Cybereason vs. RansomEXX Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1446471,
	"plain_text": "Cybereason vs. RansomEXX Ransomware\r\nBy Cybereason Nocturnus\r\nArchived: 2026-04-05 17:12:58 UTC\r\nOver the last few months, the Cybereason Nocturnus Team has been tracking the activity around the RansomEXX\r\nransomware. It has been active since 2018, but came to fame in 2020 in attacks on major organizations such as the\r\nTexas Department of Transportation. RansomEXX started as a Windows variant, but a Linux variant was\r\ndiscovered earlier this year.\r\nKey Findings\r\nHuman-operated targeted attacks: RansomEXX is being used as a part of multi-staged human-operated attacks\r\ntargeting various government related entities and tech companies. It is being delivered as a secondary payload\r\nafter initial compromise of the targeted network.\r\nDisables security products: The Windows variant has a functionality that was seen before in other ransomware,\r\ndisabling various security products for a smooth execution on the infected machine.\r\nMulti-Platform: RansomEXX started solely as a Windows variant, but later a Linux variant was added to the\r\narsenal, sharing similarities with its predecessor. \r\nFileless ransomware: RansomEXX is usually delivered as a secondary in-memory payload without ever touching\r\nthe disk, which makes it harder to detect. \r\nDetected and prevented: The Cybereason Defense Platform fully detects and prevents the RansomEXX\r\nransomware.\r\nhttps://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware\r\nPage 1 of 9\n\nBackground\r\nTheRansomEXX family, also known as Defray777 and Ransom X, runs as a solely in-memory payload that is not \r\ndropped to disk, making it highly evasive. RansomEXX was involved in three major attacks in 2020 against Texas\r\nTxDOT in May of 2020, against Konica Minolta in the end of July, and against Brazil's court system in the\r\nbeginning of November. \r\nIn addition, last December RansomEXX operators published stolen credentials from Embraer, one of the largest\r\naircraft makers in the world, on its own leaks website as part of the ongoing double extortion trend.\r\nIn mid 2020, a Linux variant of RansomEXX emerged. This variant, despite sharing similarities with the Windows\r\nvariant, is simpler than its predecessor and lacks many features such as disabling security software and command\r\nand control communication. There are decryptors for both variants, and the threat actors send paying victims a\r\nprivate key to decode their files.\r\nRansomEXX Analysis\r\nThis analysis focuses on the Windows variant of RansomEXX, which can be classified  as fileless malware\r\nbecause it is reflectively loaded and executed in memory without touching the disk. Analysis of this sample\r\nreveals that it is partially obfuscated but includes indicative information such as the “ransome.exx” string that can\r\nbe seen hard coded in the binary:\r\nransom.exx string hardcoded in the binary\r\nhttps://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware\r\nPage 2 of 9\n\nUpon execution, RansomEXX starts decrypting some strings necessary for its operation:\r\nRansomEXX’s strings decryption routine\r\nThe mutex the malware creates is generated from the GUID of the infected machine:\r\nThe GUID generated on the infected machine\r\nThe decrypted strings at this point include mainly logs:\r\nDecrypted logging string\r\nRansomEXX spawns a separate thread in the background to handle the logging process.\r\nWhen debugging the sample, the logs themselves can be seen in the console:\r\nLogging as seen in the command line\r\nThe malware then continues with terminating processes and system services that may interfere with the execution,\r\nbut excludes those that are relevant for its execution:\r\nhttps://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware\r\nPage 3 of 9\n\nSome of the terminated services as well as processes excluded from termination\r\nCybereason detects the execution of RansomEXX together with the below listed commands that are executed\r\npost-encryption. These commands’ role is to prevent the victim from restoring their system by deleting backups,\r\nWindows error recovery etc. Cybereason also detects this malicious usage of Windows utilities:\r\nhttps://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware\r\nPage 4 of 9\n\nRansomEXX’s attack tree as seen in the Cybereason Defense Platform\r\nThe depicted above commands are as follows:\r\nCommand Action\r\n\"C:\\Windows\\System32\\fsutil.exe\" usn deletejournal /D C:\r\nfsutil.exe deletes the Update\r\nSequence Number journal\r\n\"C:\\Windows\\System32\\wbadmin.exe\" delete catalog -quiet\r\nwbadmin.exe deletes the backup\r\ncatalog\r\n\"C:\\Windows\\System32\\wevtutil.exe\" cl Setup\r\n\"C:\\Windows\\System32\\wevtutil.exe\" cl System\r\n\"C:\\Windows\\System32\\wevtutil.exe\" cl Application\r\n\"C:\\Windows\\System32\\wevtutil.exe\" cl Security\r\nwevtutil clears event logs \r\n\"C:\\Windows\\System32\\bcdedit.exe\" /set {default} bootstatuspolicy\r\nignoreallfailures\r\n\"C:\\Windows\\System32\\bcdedit.exe\" /set {default} recoveryenabled no\r\nbcdedit disable recovery mode\r\n\"C:\\Windows\\System32\\cipher.exe\" /w:C:\r\ncipher overwrites deleted data in\r\ndrive C\r\n\"C:\\Windows\\System32\\schtasks.exe\" /Change /TN\r\n\"\\Microsoft\\Windows\\SystemRestore\\SR\" /disable\r\nschtasks disables the system\r\nrestore scheduled task\r\n\"C:\\Windows\\System32\\wevtutil.exe\" sl Security /e:false\r\nwevtutil disables the security\r\nevent logs\r\nAfter preparation of the environment RansomEXX encrypted the files on the victim’s machine and the following\r\nnote is left on the machine:\r\nhttps://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware\r\nPage 5 of 9\n\nThe ransom note left on the victim’s machine\r\nThe commands that disable file recovery and system restore after successfully encrypting the victim’s files, and\r\ncan also be observed clearly in the sample’s code:\r\nPart of the post-encryption commands in RansomEXX’s code\r\nCybereason Detection and Prevention\r\nCybereason detects the Windows utilities that are executed post-encryption as malicious and triggers a Malop(™)\r\nfor all of them:\r\nhttps://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware\r\nPage 6 of 9\n\nDetection of the ransomware and malicious uses of windows utilities by the Cybereason Defense Platform\r\nLooking at the Malop that was triggered by fsutil, the evidence for malicious activity can be seen together with the\r\nsuspicions mapped to the MITRE ATT\u0026CK matrix:\r\nSuspicions and evidence triggered by fsutil\r\nhttps://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware\r\nPage 7 of 9\n\nWhen Cybereason anti-ransomware prevention is turned on, the execution of the RansomEXX is prevented using\r\nthe AI module:\r\nExecution prevention of RansomEXX by the Cybereason Defense Platform\r\nSecurity Recommendations\r\n• Enable the Anti-Ransomware Feature on Cybereason NGAV: Set Cybereason Anti-Ransomware protection\r\nmode to Prevent - more information for customers can be found here\r\n• Enable Anti-Malware Feature on Cybereason NGAV: Set Cybereason Anti-Malware mode to Prevent and set\r\nthe detection mode to Moderate and above - more information can be found here\r\n• Keep Systems Fully Patched: Make sure your systems are patched in order to mitigate vulnerabilities\r\n• Regularly Backup Files to a Remote Server: Restoring your files from a backup is the fastest way to regain\r\naccess to your data\r\n• Use Security Solutions: Protect your environment using organizational firewalls, proxies, web filtering, and\r\nmail filtering\r\n• Indicator's of Compromise: Includes C2 Domains, IP addresses, Docx files SHA-1 hashes, and Msi files. Open\r\nthe chatbot on the lower right-hand side of this blog to download your copy.\r\nMITRE ATT\u0026CK BREAKDOWN\r\nDefense Evasion Impact Execution Discovery\r\nPrivilege\r\nEscalation\r\nImpair Defenses:\r\nDisable or\r\nModify Tools\r\nData\r\nEncrypted for\r\nImpact\r\nCommand and\r\nScripting Interpreter:\r\nWindows Command\r\nShell\r\nObfuscated Files or\r\nInformation\r\nProcess\r\nInjection\r\nhttps://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware\r\nPage 8 of 9\n\nIndicator\r\nRemoval on\r\nHost: File\r\nDeletion\r\nInhibit\r\nSystem\r\nRecovery\r\nCommand and\r\nScripting Interpreter:\r\nUnix Shell\r\nSystem Information\r\nDiscovery\r\n \r\n    Scheduled Task/Job\r\nFile and Directory\r\nDiscovery\r\n \r\n     \r\nSoftware Discovery:\r\nSecurity Software\r\nDiscovery\r\n \r\n      Process Discovery  \r\nDaniel Frank \r\nDaniel Frank is a senior Malware Researcher at Cybereason. Prior to Cybereason, Frank was a Malware\r\nResearcher in F5 Networks and RSA Security. His core roles as a Malware Researcher include researching\r\nemerging threats, reverse-engineering malware and developing security-driven code. Frank has a BSc degree in\r\ninformation systems.\r\nSource: https://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware\r\nhttps://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware"
	],
	"report_names": [
		"cybereason-vs.-ransomexx-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434545,
	"ts_updated_at": 1775791292,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/720d10add17f7115553d04b017553f60395b6054.pdf",
		"text": "https://archive.orkl.eu/720d10add17f7115553d04b017553f60395b6054.txt",
		"img": "https://archive.orkl.eu/720d10add17f7115553d04b017553f60395b6054.jpg"
	}
}