RansomEXX Ransomware (c8bbabe2-1b06-4ba5-b505-623e25eb8f6c)
RansomEXX is a ransomware family that targeted multiple large companies starting in 2020. A little after the first wave of infections, a Linux variant of the ransomware started spreading as well. The actors behind RansomEXX seem to be after big corporations to extort as much money as possible.
RansomEXX bears resemblances with the Defray777 ransomware. The Linux version is a simple piece of malware. It does not contain any code to terminate processes like security software, does not wipe free space like the Windows version does, and does not communicate with a command and control server.
Infections usually occur by the actors gaining a foothold within a target infrastructure and compromising as many systems as possible before manually installing the ransomware.
If the victim pays the ransom, they will receive both a Linux and Windows decryptor with the corresponding RSA-4096 private key and encrypted file extension embedded in the executable. The Linux decryptor is named 'decryptor64' and is a command-line driven decryptor.[Kaspersky November 6 2020][BleepingComputer November 6 2020][McAfee What is Ransomware]
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| RansomEXX Ransomware (c8bbabe2-1b06-4ba5-b505-623e25eb8f6c) | Tidal Software | Gold Dupont (ebf63407-9772-4f38-93ad-48b8c9bb0bcf) | Tidal Groups | 1 |