RansomEXX

1. Introduction

This module provides an overview of RansomEXX ransomware, including demonstrating the malware being executed on a Windows OS.

2. What is RansomEXX?

RansomEXX is a trojan-based, double extortion ransomware family that has targeted multiple government and healthcare organizations. The name is derived from the string ransom.exx that is present in the executable.

The threat group behind RansomEXX has been in operation since 2018 but came into prominence in 2020 after infecting a number of high-profile organizations, such as:

• In May 2020, the Texas Department of Transportation was attacked three times, resulting in the shut down of their services.

• In November 2020, Brazil's Superior Court of Justice was attacked by RansomEXX's operators, who obtained access to administration groups and encrypted a large part of their virtual machines.

• In February 2021, an attack on the French health insurance company Mutuelle Nationale des Hospitaliers resulted in the suspension of their services.

RansomEXX shares commonalities with a similar variant of ransomware from 2017 called Defray777. It is believed that the same threat group that was behind Defray777 is behind RansomEXX. SecureWorks calls this threat group GOLD DUPONT whereas CrowdStrike has named them SPRITE SPIDER. Along with Defray777, the RansomEXX group is also referred to as Defray, RansomX, and Target777 by various sources.

Initially, the threat group behind RansomEXX only targeted Windows OS, however, they have altered their attack techniques to infect Linux operating systems as well. The group's goal is to encrypt important files on the target's computers and then ask for ransom in exchange for their decryption. Additionally, the files are exfiltrated before being encrypted. If the ransom is not paid right away, the threat of releasing these files is used to put pressure on victims.

RansomEXX's operators have used a dedicated leak site on the Tor network to publish files stolen from victims who were non-compliant with ransom requests. According to Crowdstrike, the threat group didn't adopt this tactic of leaking files until later (compared to other similar groups). This may have been a calculated decision to avoid bringing attention to themselves too soon.

3. Typical Attack Vectors

Like many threat groups, one of the main ways RansomEXXs operators obtain initial access is through phishing, that is, specially crafted emails containing malicious attachments (T1566.001). The threat group has managed to utilize banking trojans such as Trickbot as an initial access vector.

These emails often contain a protected Microsoft Word document encrypted with a malicious macro. Evidently, the threat actors behind RansomEXX are aware that users tend to disable macros by default due to increased security awareness. So, to combat this, their phishing emails tend to contain a message that encourages target users to enable macro content. Once they have taken the bait and activated it, the macro downloads a trojan from a malicious URL, which then establishes itself on the victim's machine.

An investigation by Trend Micro into the techniques used by the RansomEXX ransomware found that initial access was obtained via a phishing email with an attached .zip file, which was actually a Word document with a malicious macro. The document came with a message asking the user to enable macros. Once enabled, the macro would load the IcedID trojan that was used to deploy the Vatet loader, which in turn, was used to decrypt and load further tools.

Another way RansomEXX gains initial access to targeted networks is by exploiting vulnerable systems such as VMware ESXi servers or Citrix Application Delivery Controllers.

4. Attacker TTPs

The threat group behind RansomEXX uses various techniques to achieve its goal. After the initial compromise, the group tries to steal credentials from password stores to obtain access into accounts with higher privileges in order to eventually gain access to the domain controllers. To get the credentials, they install and use PyXie's LaZagne module, a post-exploitation, open-source tool employed to recover stored passwords. They have also been known to use Mimikatz to steal credentials from the Windows memory. After gaining access to domain controllers, RansomEXX operators continue to use PyXie malware to find, collect, and exfiltrate the sensitive files of the targeted company.

Alongside PyXie, the threat group will install Cobalt Strike Beacon to enable remote access to the target system. With Cobalt Strike, the group eventually load and execute RansomEXX ransomware that starts the encryption of the file system.

After successful encryption, a ransom note is added into each directory containing encrypted files. This note contains a threat and instructions on how to proceed and pay the ransom (you will see an example of this in the next objective). RansomEXX is also capable of preventing immediate mitigation by inhibiting system recovery.

As previously mentioned, RansomEXX operators have also been known to use the double extortion method by threatening to publicly leak victims' data if ransom payment is not received. When a ransom request is not met, the group publishes files stolen from the target machine onto a leak site on the Tor network. When a victim does pay the demanded ransom amount, both Windows and Linux decryptors are sent to them, regardless of the victim's environment.

5. Ransomware Execution Example

Connect to the windows06 machine via the RDP shortcut on the desktop.

Once you have connected to the windows06 machine desktop, you can see the RansomEXX executable file is present. Execute this file and watch the ransomware propagate as the machine becomes infected and the files are encrypted. Observe the changes to the file extensions after the RansomEXX executable is ran, and read the ransom note that gets dropped onto the desktop.

Let's check a file before executing the malware

After execution of the malware the files on the Desktop got encrypted

6. Encryption Method

The process of encrypting files is slightly different between the Windows and Linux versions of the malware.

In both cases, files are encrypted with dynamically generated AES-256 keys that are then encrypted with an RSA-4096 public key and appended to the encrypted files. This RSA key is hardcoded into the malware and is unique to each target. In every case, a ransom note is added to all directories containing encrypted files.

On Windows, RansomEXX lists all the logical drives attached to the system and iterates through each drive. It encrypts anything that isn't marked to be excluded by the threat actors, such as the ransomware tools themselves or system folders.

The Linux version of RansomEXX, however, simply takes a directory where the encryption of the files will start as a command-line argument. The files in that directory and any subdirectories are then encrypted — unless excluded.

7. Security Questions

1. Who is most likely to become a victim of a RansomEXX attack?

2. What are other names for the RansomEXX Ransomware?

3. Name a tool used by RansomEXX to collect stored credentials after initial access.

4. What file extension does RansomEXX give to encrypted files?

5. What email address is displayed in the ransom note?

6. Which encryption algorithm does RansomEXX use?

8. Answers

1. Government and Healthcare organisations

2. Defray, RansomX, Target777

3. LaZagne, Mimikatz

4. .txd0t

5. txdot911@protonmail.com

6. RSA-4096, AES256