{ "id": "48309bf8-9e78-4b45-aa54-3236c838397d", "created_at": "2026-04-06T00:21:28.428757Z", "updated_at": "2026-04-10T03:37:23.867554Z", "deleted_at": null, "sha1_hash": "8e9cdc7779a1bf3f51f3ff8c4008a21e6f175597", "title": "Expanding Range and Improving Speed: A RansomExx Approach", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 984230, "plain_text": "Expanding Range and Improving Speed: A RansomExx Approach\r\nBy Trend Micro ( words)\r\nPublished: 2021-01-06 · Archived: 2026-04-05 20:47:39 UTC\r\nRansomExx is a ransomware variant responsible for several high-profile attacks in 2020. We take a look at its\r\ncurrent techniques which include the use of trojanized software to deliver malicious payloads and an overall short\r\nand fast attack.\r\nBy: Trend Micro Jan 06, 2021 Read time: 5 min (1445 words)\r\nSave to Folio\r\nRansomExx, a ransomware variant responsible for several high-profileopen on a new tab attacks in 2020, has\r\nshown signs of further development and unhampered activity. The most recently reported development involves\r\nthe use of newer variants adapted for Linux serversopen on a new tab that effectively expanded its range to more\r\nthan Windows servers.\r\nOwn monitoring efforts found RansomExx compromising companies in the United States, Canada, and Brazil, as\r\nwell as the sustained activity of the Linux variant. This entry details our analysis of a RansomExx campaign that\r\nused IcedIDopen on a new tab as its initial access vector, Vatet loader as its payload delivery method, and both\r\nPyxie and Cobalt Strike as post-intrusion tools. This combination of tools took only five hours to deploy the\r\nransomware from its initial access.\r\nRansomExx used to be operated by a threat group, which SecureWorksopen on a new tab named GOLD\r\nDUPONT, that has been active since 2018. Based on its most recent attacks, the threat group showed a fast and\r\neffective approach to compromising an environment. Malware like Vatet loader, PyXie, Trickbot, and\r\nRansomExx, as well as some post-intrusion tools like Cobalt Strike, are typically part of this threat group’s\r\narsenal.\r\nThis malware is worth looking into as it demonstrates effective techniques frequently observed in ransomware\r\nattacks in 2020. These methods include the use of trojanized software to deliver malicious payloads and an overall\r\nshort and fast attack. \r\nThe Investigation\r\nThe incident we observed was first flagged as a phishing email with an attached password-protected ZIP file,\r\nwhich is actually a Word document (detected as Trojan.W97M.SHATHAK.A) with a malicious macro. It shows a\r\nmessage that lures users into enabling macro content:\r\nhttps://www.trendmicro.com/en_us/research/21/a/expanding-range-and-improving-speed-a-ransomexx-approach.html\r\nPage 1 of 9\n\nFigure 1. Malicious Word document content\r\nBy allowing the macro inside the document, it will attempt to download the IcedID trojan (detected as\r\nTrojanSpy.Win32.ICEDID.BP) from a malicious URL. If the download succeeds, the trojan is executed using\r\nregsvr32.exe.\r\nFigure 2. Code snippet of the macro\r\nAs a common IcedID approach it used steganography as a method to deliver the payload through a .png file\r\ndownloaded from a malicious URL. The file is decrypted, and the payload is injected into memory. For\r\npersistence, IcedID creates a scheduled task to run hourly, in which it again uses regsvr32.exe to run its malicious\r\nDLL:\r\nFigure 3. Malicious scheduled task initializing\r\nOn this incident we observed msiexec.exe being used to inject and deploy the final IcedID payload. With the final\r\npayload in place, the attacker was able to load and execute the Cobalt Strike payload, allowing it to communicate\r\nwith the command and control (C\u0026C) server:\r\nhttps://www.trendmicro.com/en_us/research/21/a/expanding-range-and-improving-speed-a-ransomexx-approach.html\r\nPage 2 of 9\n\nFigure 4. Telemetry data of the point-of-entry machine connecting to the C\u0026C Server\r\nAfter establishing a connection to the malicious server, the threat actor started to collect machine information and\r\nmove laterally. In this entry, we don’t have evidence to show all the approaches the malware used to move\r\nlaterally, except for one that was through SMB.\r\nFigure 5. Some of the information gathered by the attacker from the point of entry machine\r\nThe artifact used to deliver the other components executed in the environment was a trojanized version of\r\nNotepad++ — Vatet loader (detected as Trojan.Win32.VATET.SM). As described in our previous blog post, Vatet\r\nloader decrypts a file (in our analysis referred to as config.dat) using an XOR-based method. After the XOR\r\noperation, it allocates memory, injects the config.dat decrypted code into its own memory, and then executes the\r\npayload:\r\nhttps://www.trendmicro.com/en_us/research/21/a/expanding-range-and-improving-speed-a-ransomexx-approach.html\r\nPage 3 of 9\n\nFigure 6. Code snippet of Vatet loader routine\r\nVatet loader loads any payload as long as it follows the correct XOR operation based on the file path of config.dat.\r\nWe identified a different config.dat file being used for different purposes, like information gathering through\r\nPyxie, Lazagne and Mimikatz as well as RansomExx itself for its last attack phase. One key observation was that\r\nthe config.dat used for information gathering contained an internal IP in the configuration of its payload,\r\nspecifically in the part pertaining to the address of the server being used to send the gathered information. We\r\nhave evidence showing that this internal IP was used as an exfiltration point and communicated to the C\u0026C server\r\nmentioned earlier. This behavior leads us to think that the entire attack was indeed very fast, with some of the\r\ncomponents created in the time of the incident.\r\nUsage of the Linux variant\r\nCorrelating the described incident to more recent attacks involving RansomExx, we observed the use of a new\r\nLinux variant of RansomExx to compromise Linux servers. We have no information on how the malware was sent\r\nto the Linux server, but we observed it aiming for the VMware environment in general, especially machines that\r\nserve as storage for the VMware files. We have found three variants of RansomExx for Linux using Trend Micro\r\nTelfhash, and all three samples shared the same behavior. The sample we analyzed from these three is a 64-bit\r\nELF executable with all of the cryptographic schemes from an open-source library called mbedtls. The sample is\r\nmulti-thread and goes straight to encryption. It has no network activities, no anti-analysis techniques, or other\r\nactivities outside its main agenda. The sample also has some available debug information allowing us to check\r\ncharacteristics like the function names and source code file names:\r\nhttps://www.trendmicro.com/en_us/research/21/a/expanding-range-and-improving-speed-a-ransomexx-approach.html\r\nPage 4 of 9\n\nFigure 7. Examples of RansomExx debug information\r\nUpon execution, the sample starts calling a function referred to as GeneratePreData, which is responsible for the\r\ncreation of a 256-bit AES key using both pseudo-random values from native Linux functions and also mbedtls\r\noperations. The AES key is encrypted using a hardcoded RSA-4096 public key, with the result written in a global\r\nvariable. The content of that global variable is going to be appended to each file for future encryption using AES\r\nin ECB mode:\r\nhttps://www.trendmicro.com/en_us/research/21/a/expanding-range-and-improving-speed-a-ransomexx-approach.html\r\nPage 5 of 9\n\nFigure 8. Hardcoded RSA public key\r\nThe GeneratePreData function runs in a thread created by the malware on an infinite loop, attempting to generate\r\nencryption keys every 0.18 seconds. The thread will continue to run until the end of the malware execution.\r\nFigure 9. Code snippet of the Ransomware main function\r\nhttps://www.trendmicro.com/en_us/research/21/a/expanding-range-and-improving-speed-a-ransomexx-approach.html\r\nPage 6 of 9\n\nFigure 10. Code snippet of the AES encryption\r\nThe malware only runs if the user specifies a directory as a command line parameter. The encryption preparation\r\nstarts in a function referred to as list_dir. The first action performed by the list_dir function makes sure that the\r\nargument passed through the command line is a directory. If the check succeeds, the function responsible for the\r\ncreation of the ransom note is called.\r\nIf the other files inside the same directory are also directories, then the list_dir function is called again. For regular\r\nfiles, the malware attempts to check if the file has the occurrence of the ransomware extension string to determine\r\nif it needs to be encrypted. For every file found inside the directories, the malware adds a task to encrypt the file:\r\nhttps://www.trendmicro.com/en_us/research/21/a/expanding-range-and-improving-speed-a-ransomexx-approach.html\r\nPage 7 of 9\n\nFigure 11. Code snippet showing the list_dir() function\r\nFigure 12. Code snippet of the ransom note creation function\r\nSecurity recommendations\r\nThreat actors constantly improve their arsenal and approaches to be more effective. The use of memory-based\r\ntechniques, legitimate Windows tools, and well-known post-intrusion tools preceding the deployment of the main\r\npayload seems to result in a higher chance of success for ransomware operators.\r\nFor users, preventing attacks from the outset is key to impeding the chance of successful ransomware attacks. The\r\nspeed and agility that this campaign banked on will not matter in the future if initial access is denied from the\r\nstart. Learning from this campaign, users should only download files from trusted and legitimate sources to\r\nprevent the entry of malicious files into their system. Users should avoid enabling macros, and should be wary of\r\ndocuments that prompt them to do so.\r\nhttps://www.trendmicro.com/en_us/research/21/a/expanding-range-and-improving-speed-a-ransomexx-approach.html\r\nPage 8 of 9\n\nIn general, more robust security measures can prevent ransomware and other threats from having a strong impact\r\non systems. These include employing least privilege standards and ensuring that systems are up-to-date. If legacy\r\nsystems cannot be avoided, solutions that allow virtual patching can help ensure that legacy systems are\r\nnonetheless protected.\r\nTrend Micro Solutions\r\nTrend Micro Cloud One™– Workload Securityproducts has a virtual patching feature that can protect the system\r\nagainst exploits. Since some of the malware’s techniques can bypass signature-based security agents, technologies\r\nlike Trend Micro Behavior Monitoring and Machine Learning can be used to prevent and block those threats.\r\nEnterprises can also take advantage of Trend Micro XDRproductsTMproducts, which collects and correlates data\r\nacross endpoints, emails, cloud workloads, and networks, providing better context and enabling investigation in\r\none place. This, in turn, allows teams to respond to similar threats faster and detect advanced and targeted threats\r\nearlier.\r\nIndicators of Compromise\r\nTrend Micro Detection Name SHA256\r\nRansom.Linux.EXX.YAAK-A cb408d45762a628872fa782109e8fcfc3a5bf456074b007de21e9331bb3c5849\r\nRansom.Linux.EXX.YAAK-B 08113ca015468d6c29af4e4e4754c003dacc194ce4a254e15f38060854f18867\r\nRansom.Linux.EXX.YAAK-B 78147d3be7dc8cf7f631de59ab7797679aba167f82655bcae2c1b70f1fafc13d\r\nTrojan.W97M.SHATHAK.A 6fb5af0a4381411ff1d9c9041583069b83a0e94ff454cba6fba60e9cd8c6e648\r\nTrojanSpy.Win32.ICEDID.BP 3c5af2d1412d47be0eda681eebf808155a37f4911f2f2925c4adc5c5824dea98\r\nTrojanSpy.Win32.ICEDID.BP 87e732bdc3a1ed19904985cfc20da6f26fa8c200ec3b2806c0abc7287e1cdab7\r\nTrojanSpy.Win32.ICEDID.BP 884fe75824ad10d800fd85d46b54c8e45c4735db524c247018743eb471190633\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/21/a/expanding-range-and-improving-speed-a-ransomexx-approach.html\r\nhttps://www.trendmicro.com/en_us/research/21/a/expanding-range-and-improving-speed-a-ransomexx-approach.html\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.trendmicro.com/en_us/research/21/a/expanding-range-and-improving-speed-a-ransomexx-approach.html" ], "report_names": [ "expanding-range-and-improving-speed-a-ransomexx-approach.html" ], "threat_actors": [ { "id": "26a04131-2b8c-4e5d-8f38-5c58b86f5e7f", "created_at": "2022-10-25T15:50:23.579601Z", "updated_at": "2026-04-10T02:00:05.360509Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "TA551", "GOLD CABIN", "Shathak" ], "source_name": "MITRE:TA551", "tools": [ "QakBot", "IcedID", "Valak", "Ursnif" ], "source_id": "MITRE", "reports": null }, { "id": "27e51b73-410e-4a33-93a1-49cf8a743cf7", "created_at": "2023-01-06T13:46:39.210675Z", "updated_at": "2026-04-10T02:00:03.247656Z", "deleted_at": null, "main_name": "GOLD DUPONT", "aliases": [ "SPRITE SPIDER" ], "source_name": "MISPGALAXY:GOLD DUPONT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "40b623c7-b621-48db-b55b-dd4f6746fbc6", "created_at": "2024-06-19T02:03:08.017681Z", "updated_at": "2026-04-10T02:00:03.665818Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shathak", "TA551 " ], "source_name": "Secureworks:GOLD CABIN", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "7268a08d-d4d0-4ebc-bffe-3d35b3ead368", "created_at": "2022-10-25T16:07:24.225216Z", "updated_at": "2026-04-10T02:00:04.904162Z", "deleted_at": null, "main_name": "Sprite Spider", "aliases": [ "Gold Dupont", "Sprite Spider" ], "source_name": "ETDA:Sprite Spider", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Coroxy", "Defray 2018", "Defray777", "DroxiDat", "Glushkov", "LaZagne", "Metasploit", "PyXie", "PyXie RAT", "Ransom X", "RansomExx", "SharpHound", "Shifu", "SystemBC", "Target777", "Vatet", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "07775b09-acd9-498e-895f-f10063115629", "created_at": "2024-06-04T02:03:07.817613Z", "updated_at": "2026-04-10T02:00:03.650268Z", "deleted_at": null, "main_name": "GOLD DUPONT", "aliases": [ "Sprite Spider ", "Storm-2460 " ], "source_name": "Secureworks:GOLD DUPONT", "tools": [ "777", "ArtifactExx", "Cobalt Strike", "Defray", "Metasploit", "PipeMagic", "PyXie", "Shifu", "SystemBC", "Vatet" ], "source_id": "Secureworks", "reports": null }, { "id": "04e34cab-3ee4-4f06-a6f6-5cdd7eccfd68", "created_at": "2022-10-25T16:07:24.578896Z", "updated_at": "2026-04-10T02:00:05.039955Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "G0127", "Gold Cabin", "Monster Libra", "Shathak", "TA551" ], "source_name": "ETDA:TA551", "tools": [ "BokBot", "CRM", "Gozi", "Gozi CRM", "IceID", "IcedID", "Papras", "Snifula", "Ursnif", "Valak", "Valek" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434888, "ts_updated_at": 1775792243, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8e9cdc7779a1bf3f51f3ff8c4008a21e6f175597.pdf", "text": "https://archive.orkl.eu/8e9cdc7779a1bf3f51f3ff8c4008a21e6f175597.txt", "img": "https://archive.orkl.eu/8e9cdc7779a1bf3f51f3ff8c4008a21e6f175597.jpg" } }