{
	"id": "384f37bf-7684-4437-bdae-eecfc47541e4",
	"created_at": "2026-04-10T03:20:35.083761Z",
	"updated_at": "2026-04-10T03:22:18.059096Z",
	"deleted_at": null,
	"sha1_hash": "884b505ca23c48bf3d3db4e70c557ed286ad8676",
	"title": "Ransomware Spotlight: RansomEXX",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 339545,
	"plain_text": "Ransomware Spotlight: RansomEXX\r\nArchived: 2026-04-10 03:04:56 UTC\r\nX\r\nTop affected industries and countries\r\nOur telemetry shows data on RansomEXX activity or attack attempts from March 31, 2021 to March 31, 2022. We\r\nobserved RansomEXX activity from all over the globe, but the heaviest concentration was in USA in France\r\nfollowed by Brazil. The reason behind this observation is the 2021 RansomEXX attack on a major hardware\r\nmanufacturer in Taiwan.\r\nopen on a new tab\r\nFigure 1. Countries with the highest number of attack attempts for the RansomEXX ransomware (March 31, 2021\r\nto March 31, 2022) Source: Trend Micro™ Smart Protection Network™ ™\r\nBased on our detections, RansomEXX was most active in the manufacturing sector, followed by the education and\r\nbanking sectors. Overall, the differences are relatively slim given the small sample size.  \r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx\r\nPage 1 of 16\n\nopen on a new tab\r\nFigure 2. Industries with the highest number of attack attempts for AvosLocker ransomware (March 31, 2021 to\r\nMarch 31, 2022)Source: Trend Micro™ Smart Protection Network™\r\nInfection chain and techniques\r\nGiven that RansomEXX operates on the RaaS model, its infection chain can vary depending on the target and the\r\naffiliate carrying out the various stages of the attack.\r\nopen on a new tab\r\nFigure 3. RansomEXX infection chain\r\nInitial Access\r\nRansomEXX has been known to use Malspam to infiltrate machines and deliver multiple tools and related\r\nmalware before finally deploying the actual ransomware payload.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx\r\nPage 2 of 16\n\nExecution and Exfiltration\r\nThe threat actors make use of different pieces of malware for execution. From our telemetry, we saw\r\nIcedID, TrickBot, Cobalt Strike beacons, and PyXie RAT. These are known to be used in other campaigns\r\nas well. PyXie RAT also has the capability to exfiltrate data and obtain information from the target\r\nmachine.\r\nLateral Movement\r\nFor lateral movement, multiple server message block (SMB) hits were seen on our telemetry. This has been\r\nused to deliver VATET loader.\r\nDiscovery\r\nSimilar to other campaigns, RansomEXX also makes use of Mimikatz and LaZagne to extract credentials\r\nfrom the target machine.\r\nImpact\r\nThe deployment of the final ransomware payload ensures that files are encrypted in the machine.\r\nRansomEXX encrypts files using advanced encryption standard (AES), while the AES key is encrypted\r\nusing RSA encryption.\r\nOther technical details\r\nIt avoids encrypting the following strings in their file path:\r\n\\windows\\system32\\\r\n\\windows\\syswow64\\\r\n\\windows\\system\\\r\n\\windows\\winsxs\\\r\n\\appdata\\roaming\\\r\n\\appdata\\local\\\r\n\\appdata\\locallow\\\r\n\\all users\\microsoft\\\r\n\\inetpub\\logs\\\r\n:\\boot\\\r\n:\\perflogs\\\r\n:\\programdata\\\r\n:\\drivers\\\r\n:\\wsus\\\r\n:\\efstmpwp\\\r\n:\\$recycle.bin\\\r\ncrypt_detect\r\ncryptolocker\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx\r\nPage 3 of 16\n\nransomware\r\nProgramW6432\r\n%ProgramFiles%\r\nIt avoids encrypting the following files with strings in their file name:\r\nbootsect.bak\r\niconcache.db\r\nthumbs.db\r\ndebug.txt\r\nboot.ini\r\ndesktop.ini\r\nautorun.inf\r\nntuser.dat\r\nntldr\r\nntdetect.com\r\nbootfont.bin\r\n!{Targeted Company Acronym}_READ_ME!.txt\r\nransom\r\nransomware\r\nIt avoids encrypting files with the following extensions:\r\n.ani\r\n.cab\r\n.cpl\r\n.diagcab\r\n.diagpkg\r\n.dll\r\n.drv\r\n.hlp\r\n.icl\r\n.icns\r\n.ico\r\n.iso\r\n.ics\r\n.lnk\r\n.idx\r\n.mod\r\n.mpa\r\n.msc\r\n.msp\r\n.msstyles\r\n.msu\r\n.nomedia\r\n.ocx\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx\r\nPage 4 of 16\n\n.prf\r\n.rtp\r\n.scr\r\n.shs\r\n.spl\r\n.sys\r\n.theme\r\n.thempack\r\n.exe\r\n.bat\r\n.cmd\r\n.url\r\n.mui\r\n.{Targeted Company Acronym\r\nIt terminates the following processes:\r\njavaw\r\njava\r\nsage\r\nks_action\r\nks_email\r\nks_copy\r\nks_sched\r\nks_web\r\nks_im\r\nks_db\r\npvxiosvr\r\npvxwin32\r\nxfssvccon\r\nwordpad\r\nwlmail\r\nonenote\r\nom8start\r\nom8\r\nocssd\r\nocomm\r\nocautoupds\r\nnotepad\r\nnotepad++\r\nnode\r\nnginx\r\nncsvc\r\nncs\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx\r\nPage 5 of 16\n\nmydesktopservice\r\nmydesktopqos\r\nmspub\r\nmsaccess\r\nmongod\r\nmetiix\r\nmdccom\r\nmbarw\r\nmail\r\ni_view32\r\ninfopath\r\nexchange\r\nexcel\r\nencsvc\r\nduplicati\r\ndevenv\r\ndbsnmp\r\ndbeng50\r\ndatabase\r\nbackup\r\natom\r\narw\r\nagntsvcencsvc\r\nagntsvcagntsvc\r\nagntsvc\r\nARSM\r\nAcrSch2Svc\r\nAcronis VSS Provider\r\nAcronisAgent\r\nAcronixAgent\r\nAntivirus\r\nMSSQL$TPS\r\nMSSQL$TPSAMA\r\nMSSQL$VEEAMSQL2008R2\r\nMSSQL$VEEAMSQL2012\r\nMSSQLFDLauncher\r\nMSSQLFDLauncher$PROFXENGAGEMENT\r\nMSSQLFDLauncher$SBSMONITORING\r\nMSSQLFDLauncher$SHAREPOINT\r\nMSSQLFDLauncher$SQL_2008\r\nMSSQLFDLauncher$SYSTEM_BGC\r\nMSSQLFDLauncher$TPS\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx\r\nPage 6 of 16\n\nMSSQLFDLauncher$TPSAMA\r\nMSSQLSERVER\r\nMSSQLServerADHelper\r\nMSSQLServerADHelper100\r\nMSSQLServerOLAPService\r\nMcAfeeEngineService\r\nMcAfeeFramework\r\nMcAfeeFrameworkMcAfeeFramework\r\nMcShield\r\nMcTaskManager\r\nMongoDB\r\nMsDtsServer\r\nMsDtsServer100\r\nMsDtsServer110\r\nMySQL57\r\nMySQL80\r\nNetMsmqActivator\r\nOracleClientCache80\r\nOracleServiceXE\r\nTrueKey\r\nTrueKeyScheduler\r\nTrueKeyServiceHelper\r\nUI0Detect\r\nVeeam Backup Catalog Data Service\r\nVeeamBackupSvc\r\nVeeamBrokerSvc\r\nVeeamCatalogSvc\r\nVeeamCloudSvc\r\nVeeamDeploySvc\r\nVeeamDeploymentService\r\nVeeamEnterpriseManagerSvc\r\nwinword\r\nvmwp\r\nvmware-vmx\r\nvmms\r\nvmconnect\r\nvmcompute\r\nvisio\r\nveeam\r\ntv_x64\r\ntv_w32\r\ntomcat\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx\r\nPage 7 of 16\n\nthunderbird\r\nthebat64\r\nthebat64\r\nteamviewer\r\ntbirdconfig\r\ntasklist\r\nBackupExecAgentAccelerator\r\nBackupExecAgentBrowser\r\nBackupExecDeviceMediaService\r\nBackupExecJobEngine\r\nBackupExecManagementService\r\nBackupExecRPCService\r\nBackupExecVSSProvider\r\nDCAgent\r\nDbxSvc\r\nEPSecurityService\r\nEPUpdateService\r\nESHASRV\r\nEhttpSrv\r\nEnterprise Client Service\r\nEraserSvc11710\r\nEsgShKernel\r\nFA_Scheduler\r\nIISAdmin\r\nIMAP4Svc\r\nKAVFS\r\nKAVFSGT\r\nMBAMService\r\nMBEndpointAgent\r\nMSExchangeAB\r\nMSExchangeADTopology\r\nMSExchangeAntispamUpdate\r\nMSExchangeES\r\nMSExchangeEdgeSync\r\nMSExchangeFBA\r\nMSExchangeFDS\r\nMSExchangeIS\r\nMSExchangeMGMT\r\nOracleXETNSListener\r\nPDVFSService\r\nPOP3Svc\r\nRESvc\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx\r\nPage 8 of 16\n\nReportServer\r\nReportServer$SQL_2008\r\nReportServer$SYSTEM_BGC\r\nReportServer$TPS\r\nReportServer$TPSAMA\r\nSAVAdminService\r\nSAVService\r\nSDRSVC\r\nSMTPSvc\r\nSNAC\r\nSQL Backups\r\nSQLAgent$BKUPEXEC\r\nSQLAgent$CITRIX_METAFRAME\r\nSQLAgent$CXDB\r\nSQLAgent$ECWDB2\r\nSQLAgent$PRACTTICEBGC\r\nSQLAgent$PRACTTICEMG\r\nSQLAgent$PROD\r\nSQLAgent$PROFXENGAGEMENT\r\nSQLAgent$SBSMONITORING\r\nSQLAgent$SHAREPOINT\r\nSQLAgent$SOPHOS\r\nSQLAgent$SQLEXPRESS\r\nSQLAgent$SQL_2008\r\nSQLAgent$SYSTEM_BGC\r\nSQLAgent$TPS\r\nSQLAgent$TPSAMA\r\nVeeamHvIntegrationSvc\r\nVeeamMountSvc\r\nVeeamNFSSvc\r\nVeeamRESTSvc\r\nVeeamTransportSvc\r\nW3Svc\r\nWRSVC\r\nZoolz 2 Service\r\nbedbg\r\nekrn\r\nkavfsslp\r\nklnagent\r\nmacmnsvc\r\nmasvc\r\nmfefire\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx\r\nPage 9 of 16\n\ntaskmgr\r\nsynctime\r\nsublime_text\r\nstream\r\nsteam\r\nsqbcoreservice\r\nscreenconnect\r\nruby\r\nqbw32\r\npythonw\r\npython\r\nprocesshacker\r\npowerpnt\r\npostgres\r\nphp\r\noutlook\r\noracle\r\nMSExchangeMTA\r\nMSExchangeMailSubmission\r\nMSExchangeMailboxAssistants\r\nMSExchangeMailboxReplication\r\nMSExchangeProtectedServiceHost\r\nMSExchangeRPC\r\nMSExchangeRepl\r\nMSExchangeSA\r\nMSExchangeSRS\r\nMSExchangeSearch\r\nMSExchangeServiceHost\r\nMSExchangeThrottling\r\nMSExchangeTransport\r\nMSExchangeTransportLogSearch\r\nMSOLAP$SQL_2008\r\nMSOLAP$SYSTEM_BGC\r\nMSOLAP$TPS\r\nMSOLAP$TPSAMA\r\nMSSQL$BKUPEXEC\r\nMSSQL$ECWDB2\r\nMSSQL$PRACTICEMGT\r\nMSSQL$PRACTTICEBGC\r\nMSSQL$PROD\r\nMSSQL$PROFXENGAGEMENT\r\nMSSQL$SBSMONITORING\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx\r\nPage 10 of 16\n\nMSSQL$SHAREPOINT\r\nMSSQL$SOPHOS\r\nMSSQL$SQLEXPRESS\r\nMSSQL$SQL_2008\r\nMSSQL$SYSTEM_BGC\r\nSQLAgent$VEEAMSQL2008R2\r\nSQLAgent$VEEAMSQL2012\r\nSQLBrowser\r\nSQLSERVERAGENT\r\nSQLSafeOLRService\r\nSQLTELEMETRY\r\nSQLTELEMETRY$ECWDB2\r\nSQLWriter\r\nSQLsafe Backup Service\r\nSQLsafe Filter Service\r\nSamSs\r\nSepMasterService\r\nShMonitor\r\nSmcService\r\nSmcinst\r\nSntpService\r\nSophos Agent\r\nSophos AutoUpdate Service\r\nSophos Clean Service\r\nSophos Device Control Service\r\nSophos File Scanner Service\r\nSophos Health Service\r\nSophos MCS Agent\r\nSophos MCS Client\r\nSophos Message Router\r\nSophos Safestore Service\r\nSophos System Protection Service\r\nSophos Web Control Service\r\nSstpSvc\r\nSymantec System Recovery\r\nTmCCSF\r\nmfemms\r\nmfevtp\r\nmozyprobackup\r\nmsftesql$PROD\r\nntrtscan\r\nsacsvr\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx\r\nPage 11 of 16\n\nsophossps\r\nsvcGenericHost\r\nswi_filter\r\nswi_service\r\nswi_update\r\nswi_update_64\r\ntmlisten\r\nwbengine\r\nMITRE tactics and techniques\r\nInitial\r\nAccess\r\nExecution Defense Evasion Discovery Impact\r\nT1078 -\r\nValid\r\nAccounts\r\nLike other\r\nhuman-operated\r\nransomware\r\nfamilies, it\r\ncan arrive\r\nby brute-forcing\r\nweak\r\nremote\r\ndesktop\r\nprotocol\r\n(RDP)\r\ncredentials\r\nT1059.003\r\n-\r\nCommand-Line\r\nInterface:\r\nWindows\r\nCommand\r\nShell\r\nCan be\r\nexecuted\r\nusing\r\ncmd.exe\r\nT1140 -\r\nDeobfuscate/Decode\r\nFiles or Information\r\nSome strings used,\r\nsuch as the strings\r\nthat will be\r\ndisplayed on the\r\nconsole, are\r\nencrypted, and will\r\nonly be decrypted\r\nwhen needed\r\nT1562.001 - Impair\r\nDefenses: Disable\r\nor Modify Tools\r\nRansomEXX stops\r\nservices related to\r\nsecurity software to\r\navoid being detected\r\nT1082 -\r\nSystem\r\nInformation\r\nDiscovery\r\nIt gathers\r\nthe system's\r\ncomputer\r\nname,\r\nwhich it\r\nuses to\r\ncreate a\r\nmutex\r\nT1049 -\r\nSystem\r\nNetwork\r\nConnections\r\nDiscovery\r\nIt\r\nenumerates\r\navailable\r\nnetwork\r\nresources\r\non the\r\ninfected\r\nmachine to\r\nlook for\r\nfiles to\r\nT1489 - Service stop\r\nThe ransomware stops services to avoid\r\nfile access violations when encrypting\r\nfiles that are still being accessed\r\nT1490 -Inhibit system recovery\r\nInhibits restoration of files from backup\r\nby executing the following commands:\r\n- wbadmin.exe delete catalog -quiet\r\n- bcdedit.exe /set {default}\r\nrecoveryenabled no\r\n- bcdedit.exe /set {default}\r\nbootstatuspolicy ignoreallfailures\r\n- schtasks.exe /Change /TN\r\n“\\Microsoft\\Windows\\SystemRestore\\SR\"\r\n/disable fsutil.exe usn deletejournal /D\r\nC:\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx\r\nPage 12 of 16\n\nInitial\r\nAccess\r\nExecution Defense Evasion Discovery Impact\r\nencrypt; it\r\ndoes this by\r\nusing the\r\nWnet API's\r\nT1083 -\r\nFile and\r\nDirectory\r\nDiscovery\r\nFor its file\r\nencryption,\r\nit\r\nenumerates\r\nfiles and\r\ndirectories\r\non each\r\ndrive while\r\navoiding\r\nsafe-listed\r\nfiles or\r\ndirectories\r\nT1486 -\r\nData\r\nencrypted\r\nfor impact\r\nIt encrypts\r\nfiles using\r\nAES\r\nencryption\r\nwhile the\r\nAES key is\r\nencrypted\r\nusing RSA\r\nencryption\r\nSummary of malware, tools, and exploits used\r\nSecurity teams can watch out for the presence of the following malware tools and exploits that are typically used\r\nin RansomEXX attacks:\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx\r\nPage 13 of 16\n\nInitial Access Execution Discovery\r\nLateral\r\nMovement\r\nImpact\r\nMalspam IcedID Mimikatz SMB RansomEXX\r\nTrickBot LaZagne\r\nPyXie RAT\r\nCobalt Strike\r\nbeacon\r\nVatet Loader\r\nRecommendations\r\nRansomEXX is not as active as it had been in 2020, when its consecutive attacks made it one of the newer\r\nransomware families to watch out for. However, being a highly targeted and human-operated ransomware, its\r\nattacks affect its victims and their reputation significantly. The combination of memory-based techniques,\r\nlegitimate Windows tools, and post-intrusion contribute a lot to RansomEXX’s successes.\r\nPreventing the attacks from the outset is key to avoiding the worst of ransomware campaigns. Organizations\r\nshould learn from past RansomEXX campaigns and be vigilant against initial access tactics. Users should be wary\r\nof enabling macros, and of documents that prompt them to do so.\r\nTo help defend systems against similar threats, organizations can establish security frameworks that can allocate\r\nresources systematically for establishing solid defenses against ransomware.\r\nHere are some best practices that can be included in these frameworks:\r\nAudit and inventory\r\nTake an inventory of assets and data.\r\nIdentify authorized and unauthorized devices and software.\r\nMake an audit of event and incident logs.\r\nConfigure and monitor\r\nManage hardware and software configurations.\r\nGrant admin privileges and access only when necessary to an employee’s role.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx\r\nPage 14 of 16\n\nMonitor network ports, protocols, and services.\r\nActivate security configurations on network infrastructure devices such as firewalls and routers.\r\nEstablish a software allowlist that only executes legitimate applications.\r\nPatch and update\r\nConduct regular vulnerability assessments.\r\nPerform patching or virtual patching for operating systems and applications.\r\nUpdate software and applications to their latest versions.\r\nProtect and recover\r\nImplement data protection, back up, and recovery measures.\r\nEnable multifactor authentication (MFA).\r\nSecure and defend\r\nEmploy sandbox analysis to block malicious emails.\r\nDeploy the latest versions of security solutions to all layers of the system, including email, endpoint, web,\r\nand network.\r\nDetect early signs of an attack such as the presence of suspicious tools in the system.\r\nUse advanced detection technologies such as those powered by AI and machine learning.\r\nTrain and test\r\nRegularly train and assess employees on security skills.\r\nConduct red-team exercises and penetration tests.\r\nA multilayered approach can help organizations guard possible entry points into the system (endpoint, email, web,\r\nand network). Security solutions that can detect malicious components and suspicious behavior can also help\r\nprotect enterprises.\r\nTrend Micro Vision One™products provides multilayered protection and behavior detection, which helps\r\nblock questionable behavior and tools early on before the ransomware can do irreversible damage to the\r\nsystem.\r\nTrend Micro Cloud One™products Workload Security protects systems against both known and unknown\r\nthreats that exploit vulnerabilities. This protection is made possible through techniques such as virtual\r\npatching and machine learning.\r\nTrend Micro™ Deep Discovery™products Email Inspector employs custom sandboxing and advanced\r\nanalysis techniques to effectively block malicious emails, including phishing emails that can serve as entry\r\npoints for ransomware.\r\nTrend Micro Apex One™products offers next-level automated threat detection and response against\r\nadvanced concerns such as fileless threats and ransomware, ensuring the protection of endpoints.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx\r\nPage 15 of 16\n\nIndicators of Compromise (IOCs)\r\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your\r\npage (Ctrl+V).\r\nImage will appear the same size as you see above.\r\nWe Recommend\r\nThe Industrialization of Botnets: Automation and Scale as a New Threat Infrastructurenews article\r\nComplexity and Visibility Gaps in Power Automatenews article\r\nCracking the Isolation: Novel Docker Desktop VM Escape Techniques Under WSL2news article\r\nAzure Control Plane Threat Detection With TrendAI Vision One™news article\r\nThe AI-fication of Cyberthreats: Trend Micro Security Predictions for 2026predictions\r\nRansomware Spotlight: DragonForcenews article\r\nStay Ahead of AI Threats: Secure LLM Applications With Trend Vision Onenews article\r\nThe Road to Agentic AI: Navigating Architecture, Threats, and Solutionsnews article\r\nSource: https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx"
	],
	"report_names": [
		"ransomware-spotlight-ransomexx"
	],
	"threat_actors": [],
	"ts_created_at": 1775791235,
	"ts_updated_at": 1775791338,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/884b505ca23c48bf3d3db4e70c557ed286ad8676.pdf",
		"text": "https://archive.orkl.eu/884b505ca23c48bf3d3db4e70c557ed286ad8676.txt",
		"img": "https://archive.orkl.eu/884b505ca23c48bf3d3db4e70c557ed286ad8676.jpg"
	}
}