# Cybereason vs. RansomEXX Ransomware

**[cybereason.com/blog/cybereason-vs.-ransomexx-ransomware](https://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware)**

Over the last few months, the [Cybereason Nocturnus Team has been tracking the activity](https://www.cybereason.com/company/nocturnus)
[around the RansomEXX ransomware. It has been active since 2018, but came to fame in](https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomexx)
2020 in attacks on major organizations such as the Texas Department of Transportation.
[RansomEXX started as a Windows variant, but a Linux variant was discovered earlier this](https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/)
year.

## Key Findings

**Human-operated targeted attacks: RansomEXX is being used as a part of multi-staged**
human-operated attacks targeting various government related entities and tech companies. It
is being delivered as a secondary payload after initial compromise of the targeted network.

**[Disables security products: The Windows variant has a functionality that was seen before](https://www.cybereason.com/blog/cybereason-vs.-clop-ransomware)**
in other ransomware, disabling various security products for a smooth execution on the
infected machine.

**Multi-Platform: RansomEXX started solely as a Windows variant, but later a Linux variant**
was added to the arsenal, sharing similarities with its predecessor.

**Fileless ransomware: RansomEXX is usually delivered as a secondary in-memory payload**
without ever touching the disk, which makes it harder to detect.


-----

**Detected and prevented: The** [Cybereason Defense Platform fully detects and prevents the](https://www.cybereason.com/platform#graphic)
RansomEXX ransomware.

## Background

TheRansomEXX family, also known as Defray777 and Ransom X, runs as a solely inmemory payload that is not dropped to disk, making it highly evasive. RansomEXX was
[involved in three major attacks in 2020 against Texas TxDOT in May of 2020, against Konica](https://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/)
[Minolta in the end of July, and against Brazil's court system in the beginning of November.](https://www.bleepingcomputer.com/news/security/brazils-court-system-under-massive-ransomexx-ransomware-attack/)

In addition, last December RansomEXX operators published stolen credentials from
Embraer, one of the largest aircraft makers in the world, on its own leaks website as part of
[the ongoing double extortion trend.](https://www.infosecurity-magazine.com/blogs/double-extortion-ransomware/)

In mid 2020, a Linux variant of RansomEXX emerged. This variant, despite sharing
[similarities with the Windows variant, is simpler than its predecessor and lacks many](https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/)
features such as disabling security software and command and control communication.
There are decryptors for both variants, and the threat actors send paying victims a private
key to decode their files.

## RansomEXX Analysis

This analysis focuses on the Windows variant of RansomEXX, which can be classified as
[fileless malware because it is reflectively loaded and executed in memory without touching](https://www.andreafortuna.org/2017/12/08/what-is-reflective-dll-injection-and-how-can-be-detected/)
the disk. Analysis of this sample reveals that it is partially obfuscated but includes indicative
information such as the “ransome.exx” string that can be seen hard coded in the binary:

_ransom.exx string hardcoded in the binary_

Upon execution, RansomEXX starts decrypting some strings necessary for its operation:


-----

_RansomEXX’s strings decryption routine_

The mutex the malware creates is generated from the GUID of the infected machine:

_The GUID generated on the infected machine_

The decrypted strings at this point include mainly logs:

_Decrypted logging string_

RansomEXX spawns a separate thread in the background to handle the logging process.

When debugging the sample, the logs themselves can be seen in the console:

_Logging as seen in the command line_

[The malware then continues with terminating processes and system services that may](https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3/)
interfere with the execution, but excludes those that are relevant for its execution:


-----

_Some of the terminated services as well as processes excluded from termination_

Cybereason detects the execution of RansomEXX together with the below listed commands
that are executed post-encryption. These commands’ role is to prevent the victim from
restoring their system by deleting backups, Windows error recovery etc. Cybereason also
detects this malicious usage of Windows utilities:


-----

_RansomEXX’s attack tree as seen in the Cybereason Defense Platform_

The depicted above commands are as follows:

**Command** **Action**


"C:\Windows\System32\fsutil.exe" usn deletejournal /D
C:

"C:\Windows\System32\wbadmin.exe" delete catalog quiet

"C:\Windows\System32\wevtutil.exe" cl Setup

"C:\Windows\System32\wevtutil.exe" cl System

"C:\Windows\System32\wevtutil.exe" cl Application

"C:\Windows\System32\wevtutil.exe" cl Security

"C:\Windows\System32\bcdedit.exe" /set {default}
bootstatuspolicy ignoreallfailures

"C:\Windows\System32\bcdedit.exe" /set {default}
recoveryenabled no


fsutil.exe deletes the Update
Sequence Number journal

wbadmin.exe deletes the
[backup catalog](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-catalog)

[wevtutil clears event logs](https://winaero.com/how-to-clear-the-windows-event-log-from-the-command-line/)

[bcdedit disable recovery mode](https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set)


-----

"C:\Windows\System32\cipher.exe" /w:C: cipher [overwrites deleted data](https://www.thewindowsclub.com/cipher-command-line-tool-windows)
in drive C


"C:\Windows\System32\schtasks.exe" /Change /TN
"\Microsoft\Windows\SystemRestore\SR" /disable


schtasks disables the system
restore scheduled task


"C:\Windows\System32\wevtutil.exe" sl Security /e:false wevtutil disables the security
event [logs](https://vimalshekar.github.io/scriptsamples/Advanced-ETW-logging)

After preparation of the environment RansomEXX encrypted the files on the victim’s machine
and the following note is left on the machine:

_The ransom note left on the victim’s machine_

The commands that disable file recovery and system restore after successfully encrypting
the victim’s files, and can also be observed clearly in the sample’s code:


-----

_Part of the post-encryption commands in RansomEXX’s code_

## Cybereason Detection and Prevention

Cybereason detects the Windows utilities that are executed post-encryption as malicious and
[triggers a Malop(™) for all of them:](https://www.cybereason.com/platform#malop)

_Detection of the ransomware and malicious uses of windows utilities by the Cybereason_
_Defense Platform_

Looking at the Malop that was triggered by fsutil, the evidence for malicious activity can be
seen together with the suspicions mapped to the MITRE ATT&CK matrix:


-----

_Suspicions and evidence triggered by fsutil_

When Cybereason anti-ransomware prevention is turned on, the execution of the
RansomEXX is prevented using the AI module:

_Execution prevention of RansomEXX by the Cybereason Defense Platform_

## Security Recommendations


-----

**• Enable the Anti-Ransomware Feature on Cybereason NGAV: Set Cybereason Anti-**
Ransomware protection mode to Prevent - more information for customers can be found
here

**• Enable Anti-Malware Feature on Cybereason NGAV: Set Cybereason Anti-Malware**
mode to Prevent and set the detection mode to Moderate and above - more information can
be found here

**• Keep Systems Fully Patched: Make sure your systems are patched in order to mitigate**
vulnerabilities

**• Regularly Backup Files to a Remote Server: Restoring your files from a backup is the**
fastest way to regain access to your data

**• Use Security Solutions: Protect your environment using organizational firewalls, proxies,**
web filtering, and mail filtering

**• Indicator's of Compromise: Includes C2 Domains, IP addresses, Docx files SHA-1**
hashes, and Msi files. Open the chatbot on the lower right-hand side of this blog to download
your copy.

## MITRE ATT&CK BREAKDOWN


**Defense**
**Evasion**

**Impair**
**Defenses:**
**Disable or**
**Modify Tools**

**Indicator**
**Removal on**
**Host: File**
**Deletion**


**Impact** **Execution** **Discovery** **Privilege**
**Escalation**


**Data**
**[Encrypted](https://attack.mitre.org/techniques/T1486/)**
**for Impact**

**Inhibit**
**[System](https://attack.mitre.org/techniques/T1490/)**
**Recovery**


**Command and**
**Scripting Interpreter:**
**Windows Command**
**Shell**

**Command and**
**[Scripting Interpreter:](https://attack.mitre.org/techniques/T1059/004/)**
**Unix Shell**


**Obfuscated Files**
**or Information**

**System**
**[Information](https://attack.mitre.org/techniques/T1082/)**
**Discovery**


**Process**
**Injection**


**[Scheduled Task/Job](https://attack.mitre.org/techniques/T1053/)** **File and Directory**
**Discovery**

**Software**
**Discovery:**
**Security Software**
**Discovery**


-----

**Process**
**Discovery**

**Daniel Frank**

Daniel Frank is a senior Malware Researcher at Cybereason. Prior to Cybereason, Frank
was a Malware Researcher in F5 Networks and RSA Security. His core roles as a Malware
Researcher include researching emerging threats, reverse-engineering malware and
developing security-driven code. Frank has a BSc degree in information systems.

## RansomEXX Ransomware | Indicator's of Compromise

**IOC** **Type** **Description**


-----

0abaa05da2a05977e0baf68838cff1712f1789e0

6fae9aa52fd89bac83b69c2fbdc65c96e886427f

06606fea0daaa99bd8ebfeb60f19976c20e6bb72

0122efe580848879bb70f40ede63cb2edbfb4163

ccfc9578f721fbad30aa74facf20817abe118bfd

423a2bf7ac322273bdacf638703ea99c44462862

dfc37340f5deaa89681539b0f5c22059aac4c31d

9711cdf002e5b7ecccfa309058d53dde67b029ee

3e6689dc6a8a717b4114a7fe65bba594c597c7b9

18b2704b49828035148aebe9e77b286a30c702b6

e7748b92347f95589fa739cbe5c089046614ce92

427178528152670c68f2f2937f05a5cdfebff1c2

3555aaebe6c113fb8f923a38cb3bd75da6e86277

6185e3514a32d2f3fb9ce292ba514d01584cced8

fc9284b7a140c0d411ebd0eb4752e477d5d213fc

11eec31710902820e79ba1e363d4c1256b75c615

5238ba19bb3c7298ee13fe6eb0cf5f8787c13cd8

24e773aa271fc0636cda6b0966a6034b65cb3052

91ad089f5259845141dfb10145271553aa711a2b

132def0d906a53360bdbdd3da109bfa41bcdbb6c

3bf79cc3ed82edd6bfe1950b7612a20853e28b09

50f191f04aa6cff1d8688a3c5d6cce96739ab6b3


SHA1 RansomEXX Windows
Executable

SHA1 RansomEXX Linux
Executable


-----

About the Author

**Cybereason Nocturnus**

The Cybereason Nocturnus Team has brought the world’s brightest minds from the military,
government intelligence, and enterprise security to uncover emerging threats across the
globe. They specialize in analyzing new attack methodologies, reverse-engineering malware,
and exposing unknown system vulnerabilities. The Cybereason Nocturnus Team was the first
to release a vaccination for the 2017 NotPetya and Bad Rabbit cyberattacks.

[All Posts by Cybereason Nocturnus](https://www.cybereason.com/blog/authors/cybereason-nocturnus)


-----