Ransomware has always been in constant activity by cybercriminals since they are a very effective method against wealthy companies and today we will talk about one of these ransomwares called RansomExx. This ransomware encrypts files and modifies their names by adding a certain extension to them. The extension that it adds would be the name of the attacked company. Cybercriminals are known to have used this ransomware to attack the Texas Department of Transportation, and in that case, the encrypted files had the extension “.txd0t” appended to their file names. But now this ransomware has attacked the Italian luxury fashion house Ermenegildo Zegna Holding so we know that it is active.
As with all ransomware, RansomExx creates a ransom note in all folders containing encrypted files, its name also depends on the name of the target, and cybercriminals are known to use RansomExx mainly to attack companies. There are variants of RansomExx that are capable of encrypting data not only on Windows but also on Linux operating systems.
Additionally, victims are informed that the price of a ransom data decryption depends on how quickly they will contact the ransomware developers. Research shows that during data encryption on Linux systems, RansomExx creates a 256-bit AES key to encrypt files and encrypts that key using an RSA-4096 public key. Despite this, as we always say, it is best not to pay and to comply with their demands since it is not safe that your lost data will be returned to you.
Until now cyber criminals distributed RansomExx via malspam emails containing a Microsoft Office document with a malicious macro. That document requested a permission to enable macro content. Once allowed, a malicious document tries to download and then run the IcedID Trojan. When IcedID is installed successfully, it is used to load and run Cobalt Strike, which is a tool that was used to establish a connection to a command and control server. After establishing the connection to the server, cyber criminals used to run the Vatet loader via the Trojan version of Notepad++. Then the above-mentioned loader was used for different malicious purposes such as data theft via Mimikatz, Lazagne, Pyxie, including installation of RansomExx ransomware.
See more:
Acute dangerous high-risk Ransomware
Apostle – Information cleansing threat and ransomware
