RansomExx - Who They Are and How to Protect Yourself From Them

Posted by Trevagh Stankard on Mon, Mar 8th, 2021

RansomExx is one of the newest notorious ransomware gangs that continue to implement cyberattacks across the world.  The RansomExx ransomware gang has been in operation since 2018 but came into prominence in 2020 after infecting a variety of high profile organizations.  Some of their victims have included Konica Minolta, Tyler Technologies, the Montreal transit system, the Texas Department of Transportation and the Brazilian judiciary. 

While RansomExx originally only targeted Windows systems, they have modified their attack methods to accommodate Linux servers as well.  The latest target in February was the Mutuelle Nationale des Hospitaliers (MNH), a French health insurance company which left computer systems and telephone services offline.  RansomExx is but another sign that ransomware continues to flourish.  It is interesting to note that most ransomware attacks are carried out by less than two dozen gangs.

Details about the Malware

The criminal gang gets its name from the ransomware strain it uses called RansomExx.   RansomExx is a Trojan based ransomware strain that uses email as its delivery method.  The email features a protected Word document containing a malicious macro.  As many users now disable macros by default, the email contains a message that encourages users to enable macro content.  Once activated, the macro downloads a Trojan from a malicious URL which then establishes itself on the victim’s machine. 

Trojan Based Malware

The Trojan based malware then seeks out an account with admin credentials and spreads itself across the network, harvesting unencrypted files for extortion purposes.  Once the encryption process is complete, victims are then alerted by an email informing them of the encrypted status of their files.  The email explains that they can email one encrypted document for the attackers to decrypt in order to demonstrate their abilities.  The lock screens on the infected computers contain a counter that ticks away with a warning that should the required ransom not be paid before the time expires, all files will be permanently lost. 

Two Notorious Attacks Involving RansomExx

This year, RansomExx was one of two ransomware gangs that targeted two known vulnerabilities in VMware ESXi.  VMware is the most popular server virtualization platforms on the market.  The attacks used the Service Location Protocol (SLP) within the ESXi platform to send SLP requests to other ESXi devices to take control of them, allowing the attackers to bypass the VMware vCenter server that houses the central manager.  The attackers then encrypted the virtual drives hosted on those systems, thus bringing down the servers that utilize those drives.  Organizations that have ESXi environments are encouraged to implement patchesCVE-2019-5544 and CVE-2020-3992 ASAP or disable SLP support to prevent attacks if the protocol isn't needed.

Last November, the group was able to hit Embraer, a large Brazilian based aircraft manufacturer that is the third largest producer of commercial airliners behind Boeing and Airbus.  The company was able to avoid the ransom by restoring its files after the discovery of the attack.  As part of the attack, however, the cybercriminals copied some of the files they encrypted.  As a vengeful play in response to avoiding the ransom, the attackers published the stolen files on the dark web.  The company confirmed this but stated that only files from a single repository had been compromised.  This practice has become commonplace in the past year as hackers now threaten to publish sensitive or proprietary files in case the victim is able to recover from the encryption attack.

How to Protect Yourself from a Ransomware Attack

The most effective way to protect yourself from a ransomware attack is to prepare for the worst. This includes a well designed backup strategy.  Of course, the backup system needs to be defended against an attack as well, which entails placing it on an isolated VLAN with some type of firewall protecting it.  Primary backups should have a carbon copy as that resides either in the cloud or on portable media.  Your backup system should be tested regularly in order to guarantee restoration ability for any and all files.

You also need a way to stop the entry of ransomware variants.  As Email has been and continues to be the primary deployment methodology for ransomware, a modern day email security system such as SpamTitan is an absolute must.  This next generation security system utilizes double antivirus and advanced phishing protection, supported by Inbuilt Baysian auto-learning and heuristics.  As for Trojan based software attacks such as RansomExx, SpamTitan uses Sandboxing technology that can eradicate malicious attachments and files.  Don’t let RansomExx and other Ransomware gangs push you around. 

Talk to TitanHQ today about anti-ransomware solutions. Get in contact with a TitanHQ team member today.