Cybereason vs. RansomEXX Ransomware

Over the last few months, the Cybereason Nocturnus Team has been tracking the activity around the RansomEXX ransomware. It has been active since 2018, but came to fame in 2020 in attacks on major organizations such as the Texas Department of Transportation. RansomEXX started as a Windows variant, but a Linux variant was discovered earlier this year.

Key Findings

Human-operated targeted attacks: RansomEXX is being used as a part of multi-staged human-operated attacks targeting various government related entities and tech companies. It is being delivered as a secondary payload after initial compromise of the targeted network.

Disables security products: The Windows variant has a functionality that was seen before in other ransomware, disabling various security products for a smooth execution on the infected machine.

Multi-Platform: RansomEXX started solely as a Windows variant, but later a Linux variant was added to the arsenal, sharing similarities with its predecessor. 

Fileless ransomware: RansomEXX is usually delivered as a secondary in-memory payload without ever touching the disk, which makes it harder to detect. 

Detected and prevented: The Cybereason Defense Platform fully detects and prevents the RansomEXX ransomware.

 

 

Background

TheRansomEXX family, also known as Defray777 and Ransom X, runs as a solely in-memory payload that is not  dropped to disk, making it highly evasive. RansomEXX was involved in three major attacks in 2020 against Texas TxDOT in May of 2020, against Konica Minolta in the end of July, and against Brazil's court system in the beginning of November. 

In addition, last December RansomEXX operators published stolen credentials from Embraer, one of the largest aircraft makers in the world, on its own leaks website as part of the ongoing double extortion trend.

In mid 2020, a Linux variant of RansomEXX emerged. This variant, despite sharing similarities with the Windows variant, is simpler than its predecessor and lacks many features such as disabling security software and command and control communication. There are decryptors for both variants, and the threat actors send paying victims a private key to decode their files.

RansomEXX Analysis

This analysis focuses on the Windows variant of RansomEXX, which can be classified  as fileless malware because it is reflectively loaded and executed in memory without touching the disk. Analysis of this sample reveals that it is partially obfuscated but includes indicative information such as the “ransome.exx” string that can be seen hard coded in the binary:

Ransomexx-blog-1

ransom.exx string hardcoded in the binary

Upon execution, RansomEXX starts decrypting some strings necessary for its operation:

Ransomexx-blog-2

RansomEXX’s strings decryption routine

The mutex the malware creates is generated from the GUID of the infected machine:

Ransomexx-blog-3

The GUID generated on the infected machine

The decrypted strings at this point include mainly logs:

Ransomexx-blog-4

Decrypted logging string

RansomEXX spawns a separate thread in the background to handle the logging process.

When debugging the sample, the logs themselves can be seen in the console:

Ransomexx-blog-5

Logging as seen in the command line

The malware then continues with terminating processes and system services that may interfere with the execution, but excludes those that are relevant for its execution:

Ransomexx-blog-6

Ransomexx-blog-7

Some of the terminated services as well as processes excluded from termination

Cybereason detects the execution of RansomEXX together with the below listed commands that are executed post-encryption. These commands’ role is to prevent the victim from restoring their system by deleting backups, Windows error recovery etc. Cybereason also detects this malicious usage of Windows utilities:

Ransomexx-blog-8

RansomEXX’s attack tree as seen in the Cybereason Defense Platform

The depicted above commands are as follows:

Command

Action

"C:\Windows\System32\fsutil.exe" usn deletejournal /D C:

fsutil.exe deletes the Update Sequence Number journal

"C:\Windows\System32\wbadmin.exe" delete catalog -quiet

wbadmin.exe deletes the backup catalog

"C:\Windows\System32\wevtutil.exe" cl Setup
"C:\Windows\System32\wevtutil.exe" cl System
"C:\Windows\System32\wevtutil.exe" cl Application
"C:\Windows\System32\wevtutil.exe" cl Security

wevtutil clears event logs 

"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no

bcdedit disable recovery mode

"C:\Windows\System32\cipher.exe" /w:C:

cipher overwrites deleted data in drive C

"C:\Windows\System32\schtasks.exe" /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable

schtasks disables the system restore scheduled task

"C:\Windows\System32\wevtutil.exe" sl Security /e:false

wevtutil disables the security event logs


After preparation of the environment RansomEXX encrypted the files on the victim’s machine and the following note is left on the machine:

Ransomexx-blog-8.2

The ransom note left on the victim’s machine

The commands that disable file recovery and system restore after successfully encrypting the victim’s files, and can also be observed clearly in the sample’s code:

Ransomexx-blog-9

Part of the post-encryption commands in RansomEXX’s code

Cybereason Detection and Prevention

Cybereason detects the Windows utilities that are executed post-encryption as malicious and triggers a Malop(™) for all of them:

Ransomexx-blog-10

Detection of the ransomware and malicious uses of windows utilities by the Cybereason Defense Platform

Looking at the Malop that was triggered by fsutil, the evidence for malicious activity can be seen together with the suspicions mapped to the MITRE ATT&CK matrix:

Ransomexx-blog-11

Suspicions and evidence triggered by fsutil

When Cybereason anti-ransomware prevention is turned on, the execution of the RansomEXX is prevented using the AI module:

Ransomexx-blog-12

Execution prevention of RansomEXX by the Cybereason Defense Platform

Security Recommendations

• Enable the Anti-Ransomware Feature on Cybereason NGAV: Set Cybereason Anti-Ransomware protection mode to Prevent - more information for customers can be found here

• Enable Anti-Malware Feature on Cybereason NGAV: Set Cybereason Anti-Malware mode to Prevent and set the detection mode to Moderate and above - more information can be found here

• Keep Systems Fully Patched: Make sure your systems are patched in order to mitigate vulnerabilities

• Regularly Backup Files to a Remote Server: Restoring your files from a backup is the fastest way to regain access to your data

• Use Security Solutions: Protect your environment using organizational firewalls, proxies, web filtering, and mail filtering

• Indicator's of Compromise: Includes C2 Domains, IP addresses, Docx files SHA-1 hashes, and Msi files. Open the chatbot on the lower right-hand side of this blog to download your copy.

MITRE ATT&CK BREAKDOWN

Defense Evasion

Impact

Execution

Discovery

Privilege Escalation

Impair Defenses: Disable or Modify Tools

Data Encrypted for Impact

Command and Scripting Interpreter: Windows Command Shell

Obfuscated Files or Information



Process Injection

Indicator Removal on Host: File Deletion

Inhibit System Recovery

Command and Scripting Interpreter: Unix Shell

System Information Discovery

 
   

Scheduled Task/Job

File and Directory Discovery

 
     

Software Discovery: Security Software Discovery

 
     

Process Discovery

 

 

 

Daniel Frank 

Daniel Frank

Daniel Frank is a senior Malware Researcher at Cybereason. Prior to Cybereason, Frank was a Malware Researcher in F5 Networks and RSA Security. His core roles as a Malware Researcher include researching emerging threats, reverse-engineering malware and developing security-driven code. Frank has a BSc degree in information systems.

 

RansomEXX Ransomware | Indicator's of Compromise

IOC

Type

Description

0abaa05da2a05977e0baf68838cff1712f1789e0

6fae9aa52fd89bac83b69c2fbdc65c96e886427f

06606fea0daaa99bd8ebfeb60f19976c20e6bb72

0122efe580848879bb70f40ede63cb2edbfb4163

ccfc9578f721fbad30aa74facf20817abe118bfd

423a2bf7ac322273bdacf638703ea99c44462862

dfc37340f5deaa89681539b0f5c22059aac4c31d

9711cdf002e5b7ecccfa309058d53dde67b029ee

3e6689dc6a8a717b4114a7fe65bba594c597c7b9

18b2704b49828035148aebe9e77b286a30c702b6

e7748b92347f95589fa739cbe5c089046614ce92

427178528152670c68f2f2937f05a5cdfebff1c2

3555aaebe6c113fb8f923a38cb3bd75da6e86277

6185e3514a32d2f3fb9ce292ba514d01584cced8

fc9284b7a140c0d411ebd0eb4752e477d5d213fc

11eec31710902820e79ba1e363d4c1256b75c615

5238ba19bb3c7298ee13fe6eb0cf5f8787c13cd8

24e773aa271fc0636cda6b0966a6034b65cb3052

SHA1

RansomEXX Windows Executable

91ad089f5259845141dfb10145271553aa711a2b

132def0d906a53360bdbdd3da109bfa41bcdbb6c

3bf79cc3ed82edd6bfe1950b7612a20853e28b09

50f191f04aa6cff1d8688a3c5d6cce96739ab6b3

SHA1

RansomEXX Linux Executable

Cybereason Nocturnus
About the Author

Cybereason Nocturnus

The Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government intelligence, and enterprise security to uncover emerging threats across the globe. They specialize in analyzing new attack methodologies, reverse-engineering malware, and exposing unknown system vulnerabilities. The Cybereason Nocturnus Team was the first to release a vaccination for the 2017 NotPetya and Bad Rabbit cyberattacks.

All Posts by Cybereason Nocturnus