Published on September 03, 2021

The resurgence of RansomEXX

RansomEXX recently gained notoriety due to its attack on Gigabyte, a well-known hardware manufacturer from Taiwan and an attack against Italy’s Lazio Region. The result of the first attack was the theft of 112GB of business data, and the second crippled the national COVID-19 Vaccination Registration Portal for 6 million people. Though it initially started out targeting Windows operating systems, RansomEXX has been seen targeting Linux servers via a separate Linux variant.

While RansomEXX has remained relatively low-profile over the past few years, its latest activities point to its potential resurgence now.

Analysing RansomEXX  

ReaQta’s analysis of RansomEXX found that – like most human-operated ransomware operations – RansomEXX breaches networks and organisations through emails, Spear Phishing, Bruteforce Remote Desktop Protocol (RDP) or stolen credentials.

Upon execution, RansomEXX encrypts files on the victim’s machine, thereafter disabling file recovery and system restore, leaving a ransom note on the victim’s machine.

RansomEXX ransom note

In some instances, RansomEXX operators have also made use of a double extortion method post-hit by threatening to leak victims’ data publicly if payment was not received.

ReaQta-Hive’s Behavioural Tree showing the RansomEXX ransomware

Within seconds of an infection, ReaQta-Hive gathers pertinent information to reconstruct the breach. At a glance, analysts are enabled to swiftly identify associated malicious behaviours and techniques applied by attackers and address the entire infection – including complete remediation and clean-ups.

Attack information is also mapped against the MITRE ATT&CK cyber kill chain framework, so that analysts can easily understand the current stage of a compromise.

RansomEXX is automatically stopped by ReaQta-Hive within seconds

With ReaQta’s real-time protection capabilities, threats like ransomware are automatically detected and stopped, preventing organisations from becoming the next victim of a ransomware attack. 

In the case of RansomEXX, ReaQta was effective within seconds, effectively mitigating hits that would have otherwise led to costly damages and sensitive data exfiltration. In addition to stopping the threat, ReaQta’s AI automatically terminates all malicious processes involved in the incident, thereafter closing off the alert and reducing extra actions needed to be taken by the security team.

AI & ML-powered solutions needed to stay ahead of attackers

Considering the rise of ransomware attacks, solutions that augment behavioral detection capabilities are increasingly becoming a necessity to detect and stop zero day and unknown threats that range from ransomware to file-less and in-memory attacks. 

Behavioural solutions, together with proactive threat hunting capabilities, are starting to become the centerpiece of any organization’s security strategy. This ensures that no dormant or hidden threats are allowed to lurk within your infrastructure. 

Relying on traditional protection methods alone today may no longer suffice, as visibility is limited, which increases the risks of a cyber breach.

Using unmatched levels of automation, AI & Machine Learning, ReaQta autonomously detects ransomware behaviour and actively handles the threat as they unfold so that organizations can stay protected against ransomware.

New call-to-action

ReaQta’s recommendations

  1. Cybersecurity awareness is imperative. Employees are the first line of defense, but they are also the most vulnerable. Organizations should make sure that employees are properly trained to flag anything that is potentially suspicious. All staff should be equipped to identify and flag possible phishing emails and be aware of how various business scams work.
  2. Enable 2-Factor Authentication(2FA)/ Multi-factor Authentication(MFA) as this protects your mails, cloud documents and VPN accesses. What is becoming increasingly obvious is that most attacks start off via email. This is a low cost option that is highly effective. For those leveraging Microsoft O365 or other platforms, do follow best practices guides that are readily available. This will strengthen the overall security posture of your organization.
  3. Ensure that Ransomware Behavior Protection policy is enabled. This will help prevent interruptions to your business.
  4. Constantly test your defences. Do not just focus on implementing security measures, but ensure that the entire process works from early detection to incident response. Should there be a lack of resources to provide for consistent threat monitoring and mitigation, ReaQta-MDR provides 24/7 round the clock security monitoring and will provide an immediate response when a new potential threat is being discovered.

To learn more about what makes ReaQta unique, please visit Why ReaQta and apply for a demonstration.