Skip to content
Ransomware group

RansomExx

RansomExx is a human-operated ransomware family and operation, active since 2018 and widely reported as a rebranded version of Defray777 that became significantly more active from June 2020 onward.

Profile source: Mallory opens in a new tab

RansomExx

Family profile

RansomExx is a human-operated ransomware family and operation, active since 2018 and widely reported as a rebranded version of Defray777 that became significantly more active from June 2020 onward. It has been associated with the threat group GOLD DUPONT, and Microsoft tracks related operator activity as Storm-2460 in more recent reporting. RansomExx has been linked to high-profile attacks against large organizations and government entities, including Brazil government networks, the Texas Department of Transportation, Konica Minolta, IPG Photonics, Tyler Technologies, and the French health insurer MNH. Reported victim geographies include the United States, Canada, and Brazil.

The malware is used in double-extortion style intrusions: operators compromise victim networks, harvest unencrypted files for extortion, obtain administrator credentials, and then deploy ransomware broadly across the environment. Observed initial access and intrusion tooling includes phishing emails with password-protected ZIP archives containing malicious macro-enabled Word documents, IcedID as an initial access vector, Vatet loader for payload delivery, and Pyxie plus Cobalt Strike for post-compromise activity. Trend Micro reported an intrusion chain progressing from initial access to ransomware deployment in about five hours, with lateral movement observed over SMB.

RansomExx also has a Linux variant. Reporting describes a 64-bit ELF sample targeting Linux servers and VMware-related environments, especially systems serving as storage for VMware files. The Linux variant performs multi-threaded encryption, uses mbedtls to generate AES keys, encrypts those keys with a hardcoded RSA-4096 public key, and requires a target directory as a command-line argument to begin recursive encryption and ransom note creation. RansomExx is also specifically noted as capable of encrypting files on VMware ESXi shared virtual hard drives, and it has been listed among notable Linux malware.

For defense evasion, RansomExx has been observed disabling Windows Security logs after encryption using wevtutil, and it is cited in ATT&CK-related reporting for disabling Windows event logging. More recent reporting links RansomExx/Storm-2460 to use of the modular backdoor PipeMagic. PipeMagic has been observed beaconing to a known RansomExx domain and has been associated with fake ChatGPT-themed lures, remote access, data theft, and follow-on ransomware activity. ReliaQuest and other reporting also tied RansomExx-linked activity to exploitation of SAP NetWeaver vulnerabilities CVE-2025-31324 and CVE-2025-42999, with web-shell deployment, PipeMagic delivery, attempted Brute Ratel C2 deployment via inline MSBuild task execution, and attempted exploitation of the Windows CLFS privilege-escalation vulnerability CVE-2025-29824. In the observed SAP NetWeaver incidents, reporting stated no ransomware payloads were successfully deployed.

Known operational characteristics directly mentioned in the source material include Tor-based ransom negotiation infrastructure, use of ProtonMail for negotiations in at least one case, test decryption offers, theft of unencrypted files for leverage, deployment after administrator-level access is obtained, Windows log disabling via wevtutil, Linux/ESXi targeting, and association with PipeMagic in recent campaigns.

Ransomware.live

Operational record

View group record β†—

Credential Theft

  • LaZagne
  • Mimikatz
  • ProcDump

LOLBAS

  • BCDEdit
  • Windows Event Utility (wevtutil)

Offsec

  • Cobalt Strike

Ransomware.live

Recent claims

All published claims β†—

Reported operators

Threat actors

2 named in public reporting
Gold Dupont

Later in 2023, the same organization was targeted by the GOLD DUPONT threat group, which distributes the RansomExx ransomware.

RansomEXX

ReliaQuest revealed that the RansomEXX and BianLian ransomware operations have also joined these attacks, although no ransomware payloads were successfully deployed.

Exploited software

Vulnerabilities linked to RansomExx

6 CVEs

MITRE ATT&CK

RansomExx in ATT&CK

8 distinct techniques

Reporting

Research mentioning RansomExx

Feb 13
Cloudatg Insights

AI Development & Software Engineering | CloudATG

...deploy the PipeMagic malware in RansomExx ransomware attacks.

Jan 1
Sophos Threat Research

Unpicking LockBit - 22 Cases of Affiliate Tradecraft | SOPHOS

Later in 2023, the same organization was targeted by the GOLD DUPONT threat group, which distributes the RansomExx ransomware.

Oct 17
Splunk Research

Detection: Wevtutil Usage To Disable Logs | Splunk Security Content

This technique was seen in several ransomware to disable the event logs to evade alerts and detections in compromised host. References https://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/

Aug 18
The Record Media

Ransomware gang masking PipeMagic backdoor as ChatGPT desktop app: Microsoft

Kaspersky said in a new blog post on Monday that it saw PipeMagic used alongside a RansomExx ransomware campaign.

Aug 14
Dragos

OT Ransomware Trends: Q2 2025 Analysis & Insights | Dragos

β€œ...CVE-2025-31324… The involvement of groups like BianLian and RansomEXX…”

May 15
Dark Reading

Critical SAP NetWeaver Vuln Faces Barrage of Cyberattacks

"...evidence suggesting involvement from the Russian ransomware group 'BianLian' and the operators of the 'RansomEXX' ransomware family (tracked by Microsoft as 'Storm-2460')..."

May 15
Security Week

Ransomware Groups, Chinese APTs Exploit Recent SAP NetWeaver Flaws

RansomEXX, also tracked as Storm-2460, is known for using the modular backdoor named PipeMagic. ReliaQuest observed the deployment of a PipeMagic sample beaconing to a known RansomEXX domain.

May 14
The Hacker News

BianLian and RansomExx Exploit SAP NetWeaver Flaw to Deploy PipeMagic Trojan

ReliaQuest ... uncovered evidence suggesting involvement from the BianLian data extortion crew and the RansomExx ransomware family, which is traced by Microsoft under the moniker Storm-2460.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.