RansomEXX Ransomware

RansomEXX Ransomware

Introduction: RansomEXX, also known as Defray or Defray777, is a multifaceted ransomware threat that emerged in late 2020. This analysis provides an in-depth exploration of RansomEXX Ransomware, covering its background, target sectors, modus operandi, technical intricacies, detection methods, mitigation strategies, and removal procedures.

RansomEXX Ransomware Overview:

  • Emergence:
    • First observed in late 2020.
    • Associated with attacks against notable entities like the Texas Department of Transportation and Groupe Atlantic.
    • Features both Windows and Linux variants.
    • Exhibits limited and exclusive targeting.

Targets:

  • Victim Profile:
    • Targets large enterprises, high-value entities, and focuses on government, healthcare, and high-value manufacturing sectors.
    • Known for selective targeting rather than widespread attacks.

Attack Techniques:

  • Spread Mechanisms:
    • Utilizes phishing and spear-phishing emails for initial infection.
    • Exploits exposed and vulnerable applications and services, including Remote Desktop Protocol (RDP).
    • Leverages third-party frameworks such as Vatet Loader, Metasploit, and Cobalt Strike for network infiltration.

Technical Details:

  • Encryption Method:
    • Victim details often hardcoded for personalized ransom notes.
    • Local files encrypted via AES (ECB Mode).
    • Encryption key embedded in payloads, encrypted via RSA-4096.
    • Associated with additional malicious tools like PyXie RAT, Trickbot, and Vatet Loader.

Detection Strategies:

  • EDR is equipped to detect and prevent malicious behaviors and artifacts associated with RansomEXX Ransomware.

Mitigation Measures:

  • Employ EDR for preventing RansomEXX infections and detecting associated risks. For infected devices, the platform’s unique rollback capability removes the infection and restores encrypted files to their original state.

Additional Mitigation Steps:

  • Employee Education:
    • Raise awareness about ransomware risks and phishing threats.
  • Password Security:
    • Implement strong, unique passwords, regularly updating and rotating them.
  • Multi-Factor Authentication (MFA):
    • Enable Multi-Factor Authentication for an added layer of security.
  • Systems Update:
    • Regularly update and patch systems to fix vulnerabilities.
  • Backup and Recovery:
    • Implement a robust Backup and Disaster Recovery (BDR) plan, regularly testing backups for efficacy.

Incident Response:

  1. Detection:
    • Identify signs of RansomEXX ransomware through security tools and network monitoring.
  2. Isolation:
    • Disconnect infected devices from the network to prevent further spread.
  3. Removal:
    • Run a malware scan using anti-malware tools to eliminate RansomEXX ransomware.
  4. Restoration:
    • Restore encrypted files from backups for data recovery.
  5. Expert Consultation:
    • Seek assistance from security experts for a comprehensive assessment and prevention of future attacks.

Proactive Measures:

  • Employee Education: Raise awareness among employees about ransomware risks and phishing threats.
  • Strong Passwords: Implement strong, unique passwords with regular updates.
  • Multi-Factor Authentication: Enable MFA for an additional layer of security.
  • Systems Update: Regularly update and patch systems to fix vulnerabilities.
  • Backup and Recovery: Implement a robust backup and disaster recovery plan, regularly testing backups for efficacy.
Back

Copyright © 2024 RASOC all rights reserved