{
	"id": "0e0aa912-8299-428b-ab3c-b6fadec71626",
	"created_at": "2026-04-06T00:16:35.481113Z",
	"updated_at": "2026-04-10T03:21:57.647273Z",
	"deleted_at": null,
	"sha1_hash": "b7fcc173dac70ec769b510f27b3a4ac97ec17bde",
	"title": "New Ransom X Ransomware used in Texas TxDOT cyberattack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 869890,
	"plain_text": "New Ransom X Ransomware used in Texas TxDOT cyberattack\r\nBy Lawrence Abrams\r\nPublished: 2020-06-26 · Archived: 2026-04-05 12:52:53 UTC\r\nA new ransomware called Ransom X is being actively used in human-operated and targeted attacks against government\r\nagencies and enterprises.\r\nMay 2020 was not a good month for Texas as both the Texas Courts and the Texas Department of Transportation (TxDOT)\r\nwere hit with ransomware attacks.\r\nAt the time of the attacks, it was not known what ransomware targeted the government agencies.\r\nhttps://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nWe still do not know for the Texas Courts, but due to a ransomware sample found by MalwareHunterTeam, we now know\r\nthat TxDot suffered an attack by new targeted ransomware called Ransom X.\r\nTaking a look at Ransom X\r\nAfter MalwareHunterTeam shared a sample of Ransom X with Advanced Intel's Vitali Kremez and BleepingComputer, we\r\ntook it for a spin to see what we could find.\r\nNaming ransomware infections is not always easy, as many times, there is no indication as to what the developers call it.\r\nIn this case, Advanced Intel's Vitali Kremez found a 'ransom.exx' string in the executable, which we believe is the name of\r\nthe ransomware.\r\nAs this is human-operated ransomware, rather than one distributed via phishing or malware, when executed the ransomware\r\nwill open a console that displays information to the attacker while it is running.\r\nRansom X console\r\nSource: BleepingComputer\r\nAccording to Kremez, Ransom.exx will terminate 289 processes related to security software, database servers, MSP\r\nsoftware, remote access tools, and mail servers. \r\nThe ransomware will also bypass various Windows system folders and any files that match the follow extensions:\r\n.ani, .cab, .cpl, .cur, .diagcab, .diagpkg, .dll, .drv, .hlp, .icl, .icns, .ico, .iso, .ics, .lnk, .idx, .mod, .mpa, .msc\r\nOf particular interest are three bypassed folders that Kremez and I theorize are being used to store the ransomware\r\nexecutable and other utilities used during an attack.\r\ncrypt_detect\r\ncryptolocker\r\nransomware\r\nBy bypassing these folders, it allows the attackers to encrypt a computer while also attack other computers on the network\r\nwithout fear their tools will become encrypted.\r\nhttps://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/\r\nPage 3 of 6\n\nThe list of terminated processes and bypassed extensions and folders can be found on our GitHub page.\r\nRansom X will also perform a series of commands throughout the encryption process that:\r\nClear Windows event logs\r\nDelete NTFS journals\r\nDisable System Restore\r\nDisable the Windows Recovery Environment\r\nDelete Windows backup catalogs\r\nWipe free space from local drives.\r\nThe commands executed are listed below.\r\ncipher /w %s\r\nwbadmin.exe delete catalog -quiet\r\nbcdedit.exe /set {default} recoveryenabled no\r\nbcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\r\nschtasks.exe /Change /TN \"\\Microsoft\\Windows\\SystemRestore\\SR\" /disable\r\nwevtutil.exe cl Application\r\nwevtutil.exe cl System\r\nwevtutil.exe cl Setup\r\nwevtutil.exe cl Security\r\nwevtutil.exe sl Security /e:false\r\nfsutil.exe usn deletejournal /D C:\r\nThe ransomware will now begin to encrypt all of the data on the computer and append a custom extension associated with\r\nthe victim to each encrypted file.\r\nAs you can see below, the custom extension for the Texas Department of Transportation attack was .txd0t.\r\nRansom X encrypted files\r\nSource: BleepingComputer\r\nWhen completed, the Ransom X console will display the number of encrypted files and how long it took to complete it. \r\nhttps://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/\r\nPage 4 of 6\n\nEncryption has finished\r\nSource: BleepingComputer\r\nIn each folder that was scanned during the encryption process, a ransom note named ![extension]_READ_ME!.txt will be\r\ncreated.\r\nThis ransom note includes the company name, an email address to contact, and instructions on how to pay the ransom.\r\nAs you can see below, the ransom note is customized for the specific victim that is under attack, which in this case is\r\nthe Texas Department of Transportation.\r\nRansom X ransom note\r\nSource: BleepingComputer\r\nDue to the limited visibility into this ransomware operation, there is no information regarding the ransom amounts or\r\nwhether they steal data as part of the attacks.\r\nThis ransomware has been analyzed and appears secure, which means there is no way to decrypt the files for free.\r\nIOCs\r\nRansom Note text:\r\nhttps://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/\r\nPage 5 of 6\n\nGreetings, Texas Department of Transportation!\r\nRead this message CAREFULLY and contact someone from IT department.\r\nYour files are securely ENCRYPTED.\r\nNo third party decryption software EXISTS.\r\nMODIFICATION or RENAMING encrypted files may cause decryption failure.\r\nYou can send us an encrypted file (not greater than 400KB) and we will decrypt it FOR FREE,\r\nso you have no doubts in possibility to restore all files from all affected systems ANY TIME.\r\nEncrypted file SHOULD NOT contain sensitive information (technical, backups, databases, large documents).\r\nThe rest of data will be available after the PAYMENT.\r\nInfrastructure rebuild will cost you MUCH more.\r\nContact us ONLY if you officially represent the whole affected network.\r\nThe ONLY attachments we accept are non archived encrypted files for test decryption.\r\nSpeak ENGLISH when contacting us.\r\nMail us: xxx@protonmail.com\r\nWe kindly ask you not to use GMAIL, YAHOO or LIVE to contact us.\r\nThe PRICE depends on how quickly you do it.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/\r\nhttps://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/"
	],
	"report_names": [
		"new-ransom-x-ransomware-used-in-texas-txdot-cyberattack"
	],
	"threat_actors": [],
	"ts_created_at": 1775434595,
	"ts_updated_at": 1775791317,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b7fcc173dac70ec769b510f27b3a4ac97ec17bde.pdf",
		"text": "https://archive.orkl.eu/b7fcc173dac70ec769b510f27b3a4ac97ec17bde.txt",
		"img": "https://archive.orkl.eu/b7fcc173dac70ec769b510f27b3a4ac97ec17bde.jpg"
	}
}