Credential Theft
- LaZagne
- Mimikatz
- ProcDump
RansomExx is a human-operated ransomware family and operation, active since 2018 and widely reported as a rebranded version of Defray777 that became significantly more active from June 2020 onward.
Profile source: Mallory opens in a new tabRansomExx
RansomExx is a human-operated ransomware family and operation, active since 2018 and widely reported as a rebranded version of Defray777 that became significantly more active from June 2020 onward. It has been associated with the threat group GOLD DUPONT, and Microsoft tracks related operator activity as Storm-2460 in more recent reporting. RansomExx has been linked to high-profile attacks against large organizations and government entities, including Brazil government networks, the Texas Department of Transportation, Konica Minolta, IPG Photonics, Tyler Technologies, and the French health insurer MNH. Reported victim geographies include the United States, Canada, and Brazil.
The malware is used in double-extortion style intrusions: operators compromise victim networks, harvest unencrypted files for extortion, obtain administrator credentials, and then deploy ransomware broadly across the environment. Observed initial access and intrusion tooling includes phishing emails with password-protected ZIP archives containing malicious macro-enabled Word documents, IcedID as an initial access vector, Vatet loader for payload delivery, and Pyxie plus Cobalt Strike for post-compromise activity. Trend Micro reported an intrusion chain progressing from initial access to ransomware deployment in about five hours, with lateral movement observed over SMB.
RansomExx also has a Linux variant. Reporting describes a 64-bit ELF sample targeting Linux servers and VMware-related environments, especially systems serving as storage for VMware files. The Linux variant performs multi-threaded encryption, uses mbedtls to generate AES keys, encrypts those keys with a hardcoded RSA-4096 public key, and requires a target directory as a command-line argument to begin recursive encryption and ransom note creation. RansomExx is also specifically noted as capable of encrypting files on VMware ESXi shared virtual hard drives, and it has been listed among notable Linux malware.
For defense evasion, RansomExx has been observed disabling Windows Security logs after encryption using wevtutil, and it is cited in ATT&CK-related reporting for disabling Windows event logging. More recent reporting links RansomExx/Storm-2460 to use of the modular backdoor PipeMagic. PipeMagic has been observed beaconing to a known RansomExx domain and has been associated with fake ChatGPT-themed lures, remote access, data theft, and follow-on ransomware activity. ReliaQuest and other reporting also tied RansomExx-linked activity to exploitation of SAP NetWeaver vulnerabilities CVE-2025-31324 and CVE-2025-42999, with web-shell deployment, PipeMagic delivery, attempted Brute Ratel C2 deployment via inline MSBuild task execution, and attempted exploitation of the Windows CLFS privilege-escalation vulnerability CVE-2025-29824. In the observed SAP NetWeaver incidents, reporting stated no ransomware payloads were successfully deployed.
Known operational characteristics directly mentioned in the source material include Tor-based ransom negotiation infrastructure, use of ProtonMail for negotiations in at least one case, test decryption offers, theft of unencrypted files for leverage, deployment after administrator-level access is obtained, Windows log disabling via wevtutil, Linux/ESXi targeting, and association with PipeMagic in recent campaigns.
Ransomware.live
Ransomware.live
Reported operators
Later in 2023, the same organization was targeted by the GOLD DUPONT threat group, which distributes the RansomExx ransomware.
ReliaQuest revealed that the RansomEXX and BianLian ransomware operations have also joined these attacks, although no ransomware payloads were successfully deployed.
Exploited software
MITRE ATT&CK
Reporting
...deploy the PipeMagic malware in RansomExx ransomware attacks.
Later in 2023, the same organization was targeted by the GOLD DUPONT threat group, which distributes the RansomExx ransomware.
This technique was seen in several ransomware to disable the event logs to evade alerts and detections in compromised host. References https://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/
Kaspersky said in a new blog post on Monday that it saw PipeMagic used alongside a RansomExx ransomware campaign.
β...CVE-2025-31324β¦ The involvement of groups like BianLian and RansomEXXβ¦β
"...evidence suggesting involvement from the Russian ransomware group 'BianLian' and the operators of the 'RansomEXX' ransomware family (tracked by Microsoft as 'Storm-2460')..."
RansomEXX, also tracked as Storm-2460, is known for using the modular backdoor named PipeMagic. ReliaQuest observed the deployment of a PipeMagic sample beaconing to a known RansomEXX domain.
ReliaQuest ... uncovered evidence suggesting involvement from the BianLian data extortion crew and the RansomExx ransomware family, which is traced by Microsoft under the moniker Storm-2460.
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.