What is RansomEXX?

TSTT recently suffered a cyber attack by group known as RansomEXX.

The group uses a type of malware – malicious software – known as ransomware to infect computer systems by encrypting an entity's data and blocking users until a ransom has been paid online to get a decryption key.

The website Tech News T&T (TNT&T) run by Newsday columnist Mark Lyndersay recently published an article by Shiva Parasram of the Computer Forensics and Security Institute titled, Fifty things I learned about the RansomEXX group.

"They target a broad range of file extensions, ensuring vital data gets encrypted," Parasram said.

"They can remain in networks for days to weeks before launching the ransomware."

He said RansomEXX came into the spotlight around 2020, primarily targeting notable organizations.

"RansomEXX employs strong encryption, making it difficult to restore files without their decryptor.

"While selective, they have targeted entities across various continents. They have a penchant for large corporations and public sector organizations."

He said despite RansomEXX being selective, no industry was truly safe from their attention.

Parasram said the group often steals sensitive data before doing an encryption.

"They not only encrypt but threaten to leak stolen data if ransoms aren’t paid."

Their ransom communications are typically customized based on the victim, he said.

The group usually operates independently but has offered ransomware-as-a-service.

"Deceptive emails are often their initial entry method into networks," Parasram said. "Vulnerable VPNs have been a notable point of entry."

"RansomEXX capitalizes on outdated and vulnerable software, especially public-facing applications."

Parasram said the group utilises legitimate software tools such as Mimikatz, PowerShell Empire, Cobalt Strike, BloodHound, Rclone and AdFind.

"Before an attack, they spend time researching potential victims for maximum impact."

RansomEXX customizes their attack methods based on the target’s environment.

"Their demands can be exorbitant, reflecting their target’s perceived ability to pay."

They often provide a communication channel for ransom negotiations. Parasram said the group has varied victims.

"Targets have included healthcare, government entities, and critical infrastructure.

"As of the last known update, no public decryption tool can counter RansomEXX."

The best defence against their attack is having secure and isolated backups, Parasram advised.

"Their techniques and tools evolve to counteract defences."

He said training staff to spot phishing and suspicious behaviour could prevent initial access.

"Quick detection and response can mitigate the damage they cause.

"Employing a multi-layered security approach is crucial in defending against groups like RansomEXX."