- Security News
- Ransomware Spotlight
- Ransomware Spotlight: RansomEXX
Our telemetry shows data on RansomEXX activity or attack attempts from March 31, 2021 to March 31, 2022. We observed RansomEXX activity from all over the globe, but the heaviest concentration was in USA in France followed by Brazil. The reason behind this observation is the 2021 RansomEXX attack on a major hardware manufacturer in Taiwan.
Figure 1. Countries with the highest number of attack attempts for the RansomEXX ransomware (March 31, 2021 to March 31, 2022) Source: Trend Micro™ Smart Protection Network™ ™
Based on our detections, RansomEXX was most active in the manufacturing sector, followed by the education and banking sectors. Overall, the differences are relatively slim given the small sample size.
Figure 2. Industries with the highest number of attack attempts for AvosLocker ransomware (March 31, 2021 to March 31, 2022)Source: Trend Micro™ Smart Protection Network™
Initial Access | Execution | Defense Evasion | Discovery | Impact |
---|---|---|---|---|
T1078 - Valid Accounts | T1059.003 - Command-Line Interface: Windows Command Shell | T1140 - Deobfuscate/Decode Files or Information T1562.001 - Impair Defenses: Disable or Modify Tools | T1082 - System Information Discovery T1049 - System Network Connections Discovery T1083 - File and Directory Discovery T1486 - Data encrypted for impact | T1489 - Service stop T1490 -Inhibit system recovery |
Security teams can watch out for the presence of the following malware tools and exploits that are typically used in RansomEXX attacks:
Initial Access | Execution | Discovery | Lateral Movement | Impact |
---|---|---|---|---|
|
|
|
|
|
|
| |||
| ||||
| ||||
|
RansomEXX is not as active as it had been in 2020, when its consecutive attacks made it one of the newer ransomware families to watch out for. However, being a highly targeted and human-operated ransomware, its attacks affect its victims and their reputation significantly. The combination of memory-based techniques, legitimate Windows tools, and post-intrusion contribute a lot to RansomEXX’s successes.
Preventing the attacks from the outset is key to avoiding the worst of ransomware campaigns. Organizations should learn from past RansomEXX campaigns and be vigilant against initial access tactics. Users should be wary of enabling macros, and of documents that prompt them to do so.
To help defend systems against similar threats, organizations can establish security frameworks that can allocate resources systematically for establishing solid defenses against ransomware.
Here are some best practices that can be included in these frameworks:
A multilayered approach can help organizations guard possible entry points into the system (endpoint, email, web, and network). Security solutions that can detect malicious components and suspicious behavior can also help protect enterprises.
The IOCs for this article can be found here. Actual indicators might vary per attack.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.