Opinion50 Things I learned about the RansomEXX group

50 Things I learned about the RansomEXX group

AboveL A redacted note issued by RansomEXX

Shiva Parasram created this list of factoids about the ransomware group RansomEXX and published it to his LinkedIn page. It is reproduced here with his kind permission.

  1. 🎯 Emergence: RansomEXX came into the spotlight around 2020, primarily targeting notable organizations.
  2. 📛 Alias: They are also referred to as Defray777, stemming from a unique identifier in their ransomware code.
  3. 🔒 Encryption Techniques: RansomEXX employs strong encryption, making it difficult to restore files without their decryptor.
  4. 🌎 Global Attacks: While selective, they have targeted entities across various continents.
  5. 🔍 Specific Targets: They have a penchant for large corporations and public sector organizations.
  6. 🖥️ Hands-on Approach: RansomEXX prefers manual operations inside a network over automated techniques.
  7. 💽 Data Theft: Before encrypting systems, they often steal sensitive data.
  8. 📢 Double Extortion: They not only encrypt but threaten to leak stolen data if ransoms aren’t paid.
  9. 📜 Personalized Notes: Their ransom communications are typically customized based on the victim.
  10. 💰 RaaS: They do operate independently but have been known to operate as a RaaS (Ransomware-as-a-Service) model.
  11. 🎣 Phishing Mastery: Deceptive emails are often their initial entry method into networks.
  12. 🔗 Exploit Chains: They often chain together multiple software vulnerabilities for deeper access.
  13. 🖇️ Unpatched Software: RansomEXX capitalizes on outdated and vulnerable software, especially public-facing applications.
  14. 🧰 Diverse Toolkit: Their arsenal includes a mix of custom and off-the-shelf tools.
  15. 🔑 Mimikatz: A favored tool for credential dumping and privilege escalation.
  16. ⚡ PowerShell Empire: A post-exploitation framework granting wide-ranging capabilities.
  17. 💼 Cobalt Strike: Originally a legitimate pen-testing tool, it’s now a favorite among attackers.
  18. 🌐 Lateral Tactics: Tools like PsExec help them traverse laterally across compromised networks.
  19. 🔍 Network Recon: They actively map networks using tools like BloodHound.
  20. ☁️ Data Movement: Rclone can be misused for moving data stealthily to cloud storage.
  21. 🔍 Active Directory: They mine AD data using tools like AdFind for understanding permissions and relations.
  22. 🚪 Misconfigurations: They exploit insecure settings or exposed services.
  23. 📊 Target Research: Before an attack, they spend time researching potential victims for maximum impact.
  24. 💰 High Ransoms: Their demands can be exorbitant, reflecting their target’s perceived ability to pay.
  25. 📈 Tailored Operations: RansomEXX customizes their attack methods based on the target’s environment.
  26. 🛡️ Avoiding Detection: They use “living off the land” tactics to blend into environments.
  27. 🚷 No Known Decryptor: As of the last known update, no public decryption tool can counter RansomEXX.
  28. 📞 Communication Channels: They often provide a communication channel for ransom negotiations.
  29. 🔥 Destruction: In some cases, they may try to delete backups or disrupt recovery efforts.
  30. 🌍 Varied Victims: Targets have included healthcare, government entities, and critical infrastructure.
  31. 🔄 Network Propagation: Once inside, they work to gain higher privileges and access more systems.
  32. 🔐 Credential Theft: Capturing credentials is a priority to facilitate movement and persistence.
  33. 🛑 Stopping Security: They might attempt to disable security software or services.
  34. 🗂️ File Types: They target a broad range of file extensions, ensuring vital data gets encrypted.
  35. ⌛ Dwell Time: They can remain in networks for days to weeks before launching the ransomware.
  36. 📝 Detailed Notes: Ransom notes often provide detailed payment instructions using cryptocurrencies.
  37. ⚖️ Negotiations: Some victims have successfully negotiated lower ransoms.
  38. 🚫 Decryption Issues: Even after payment, decryption isn’t always smooth, with occasional technical issues.
  39. 🌐 Network Disruptions: Their operations can disrupt not just endpoints but entire networks.
  40. 🚫 No Warranty: Paying the ransom doesn’t guarantee data safety or prevent future attacks.
  41. 🕵️ Stealth: They often clean logs or use encrypted channels to avoid detection.
  42. 📦 Payload Delivery: Various methods, from malicious attachments to drive-by downloads, are used.
  43. 📡 Command & Control: They establish robust C2 communications to control compromised systems.
  44. 🛡️ Backup Importance: The best defense against their attack is having secure and isolated backups.
  45. 🚫 No Discrimination: Despite being selective, no industry is truly safe from their attention.
  46. 🖲️ VPN Exploits: Vulnerable VPNs have been a notable point of entry.
  47. 📅 Continuous Evolution: Their techniques and tools evolve to counteract defenses.
  48. 💡 Awareness: Training staff to spot phishing and suspicious behavior can prevent initial access.
  49. 🚀 Rapid Response: Quick detection and response can mitigate the damage they cause.
  50. 🔒 Layered Defense: Employing a multi-layered security approach is crucial in defending against groups like RansomEXX.

Related Posts

How should business and government embrace AI?

How should business and government embrace AI?

"Very few people in the world can quantify the fiscal value of AI." - Anton Alexander
Read More
The data privacy issues in TT’s national ID platform

The data privacy issues in TT’s national ID platform

A country building a biometric database with no enforceable data-protection law is a live risk in the abstract.
Read More
Digicel, LoopUp partner to bring Microsoft Teams telephony to the Caribbean

Digicel, LoopUp partner to bring Microsoft Teams telephony to the Caribbean

By partnering with LoopUp, we can give our enterprise customers a seamless, fully managed Teams telephony experience
Read More
iVote Live launches with a focus on improved governance for organisations

iVote Live launches with a focus on improved governance for organisations

"A platform does not automatically create good governance. A digital vote does not automatically create democracy."
Read More
Maximize online impact with content that connects

Maximize online impact with content that connects

Staying visible online is hard when daily demands compete with the pressure to post often, stay on-brand, and still sound human
Read More
How influencer marketing works in the Caribbean

How influencer marketing works in the Caribbean

You have to really trust in this influencer to represent your brand, to be an advocate, to be the voice of your brand.
Read More
Your children: More device use means more cyber risk

Your children: More device use means more cyber risk

Shared family devices are often overlooked in terms of software updates and become gateways for cybercriminals.
Read More
CIBC Caribbean cards can now be added to Google Wallets

CIBC Caribbean cards can now be added to Google Wallets

Clients will be able to store Visa and Mastercard Credit Cards and Visa Debit Cards within Google Wallet, a digital wallet that's also launching in these markets.
Read More
Samsung Electronics expands water replenisment in 2026 Sustainability Report

Samsung Electronics expands water replenisment in 2026 Sustainability Report

Across its supply chain, Samsung expanded the scope of third-party audits to include 122 first-tier suppliers and 39 second-tier suppliers.
Read More
Yes, a website is work. Yes, it’s worth it

Yes, a website is work. Yes, it’s worth it

AI tools suck up the content of creators across the open internet, turning their work into a pudding of responses in search.
Read More
How should business and government embrace AI? How should business and government embrace...
The data privacy issues in TT’s national ID platform The data privacy issues in TT’s...
Digicel, LoopUp partner to bring Microsoft Teams telephony to the Caribbean Digicel, LoopUp partner to bring Microsoft...
iVote Live launches with a focus on improved governance for organisations iVote Live launches with a focus...
Maximize online impact with content that connects Maximize online impact with content that...
How influencer marketing works in the Caribbean How influencer marketing works in the...
Your children: More device use means more cyber risk Your children: More device use means...
CIBC Caribbean cards can now be added to Google Wallets CIBC Caribbean cards can now be...
Samsung Electronics expands water replenisment in 2026 Sustainability Report Samsung Electronics expands water replenisment in...
Yes, a website is work. Yes, it’s worth it Yes, a website is work. Yes,...

🤞 Get connected!

A once weekly email notification of new stories on TechNewsTT. Just that. No spam.

Possible UI Glitch. Click top right corner to dismiss 👉

Get Connected!

A once weekly email notification of new stories on TechNewsTT.

Just that. No spam.

RELATED POSTS