RansomExx is a ransomware variant responsible for several high-profile attacks in 2020 and has revealed signs of further development and unhampered activity.
It includes the use of trojanized software to deliver malicious payloads and an overall short and fastest attack. The most recently reported development involves the use of newer variants adapted for Linux servers that effectively expanded its range to more than Windows servers.
In the United States, Canada, and Brazil RansomExx malware was found through its monitoring efforts.
RansomExx used to be operated by a threat group, which SecureWorks named GOLD DUPONT, that has been active since 2018”.
Malware like Vatet loader, PyXie, Trickbot, and RansomExx, as well as some post-intrusion tools like Cobalt Strike, are typically part of this threat group’s arsenal.
The experts initially identified the malware as a phishing email with an attached password-protected ZIP file, which is a Word document (detected as Trojan.W97M.SHATHAK.A) with a malicious macro.
It displays a message that enticed users into enabling macro content (as shown in the image below).
After letting the macro inside the document, it will attempt to download the IcedID trojan (detected as TrojanSpy.Win32.ICEDID.BP) from a malicious URL. If the download succeeds, the trojan is executed using regsvr32.exe.
In this case, it used steganography as a method to deliver the payload through a .png file downloaded from a malicious URL.
The file is decrypted, and the payload is injected into memory. For persistence, IcedID creates a scheduled task to run hourly, in which it again uses regsvr32.exe to run its malicious DLL.
Now, msiexec.exe is used to inject and deploy the final IcedID payload. With the final payload, the attacker will be able to load and execute the Cobalt Strike payload, allowing it to communicate with the command and control (C&C) server.
After establishing a connection to the malicious server, the threat actor will start to gather machine information and move laterally.
Linux variant of RansomExx to compromise Linux servers
Experts observed that a new Linux variant of RansomEXX aiming for the VMware environment, particularly machines that serve as storage for the VMware files.
The experts analysed three variants of RansomExx for Linux using Trend Micro Telfhash, and all three samples shared the same behavior. The sample is multi-thread and goes straight to encryption. It has no network activities, no anti-analysis techniques, or other activities outside its main agenda.
- Users must download files only from trusted and legitimate sources to prevent the entry of malicious files into their system.
- Users should avoid enabling macros, and should be cautious of documents that prompt them to do so.
Hence, more robust security measures can prevent ransomware and other threats from having a strong impact on systems.