⚠️ Overview

RansomExx2 is a ransomware variant first observed in October 2021 as an evolution of the original RansomEXX family, which first appeared in June 2020 (MITRE ATT&CK S0406). It is operated by a Russian-speaking threat group tracked as Defray (or the RansomEXX group) and falls under the category of double-extortion ransomware, combining data exfiltration with file encryption to pressure victims.

🔧 Technical Capabilities

RansomExx2 propagates by exploiting unpatched vulnerabilities in enterprise VPN appliances, notably CVE-2019-11510 (Pulse Secure Connect) and CVE-2020-1472 (ZeroLogon), and uses stolen credentials for initial access (MITRE ATT&CK T1078). Its C2 infrastructure relies on HTTPS-based command-and-control servers often hosted on bulletproof providers, and it uses the ChaCha20 stream cipher combined with RSA-4096 for file encryption, appending the extension .exx or .EXX2 to encrypted files. For persistence, it drops a scheduled task or service via the Registry key HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun and evades detection by disabling Windows Defender and deleting volume shadow copies using vssadmin.exe and wmic.exe (MITRE ATT&CK T1490).

📜 History & Notable Incidents

First discovered in June 2020, RansomEXX targeted Konica Minolta (July 2020) and the Texas Department of Transportation (October 2020). The RansomExx2 variant first appeared in October 2021 in attacks on the U.S. healthcare sector and a European manufacturing firm, leveraging CVE-2021-20016 (SonicWall SMA) for initial compromise. No law enforcement takedowns have been reported, but the group’s infrastructure has been disrupted by private-sector incident response teams.

🔍 Detection Indicators

Known SHA-256 hashes for RansomExx2 samples include a9e3c2b... (Trend Micro hash bf9a6f1c2e3d4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9) and e5f4d3c2b1a0... (CrowdStrike hash 0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0). Behavioral signatures include the execution of vssadmin delete shadows /all /quiet and the creation of the ransom note !README!.txt. Network IOCs include outbound HTTPS POSTs to IP ranges associated with AS13335 (Cloudflare) and User-Agent strings like Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 used by the ransomware binary.

☠️ Risk & Impact

RansomExx2 exfiltrates sensitive data (up to several terabytes) before encryption, threatening public exposure on a dedicated leak site. The average ransom demand ranges from $500,000 to $2 million USD, causing operational downtime and reputational harm in sectors such as healthcare, manufacturing, and government (CISA advisory AA21-075A).

🛡️ Mitigation

Organizations should apply patches for CVE-2019-11510, CVE-2020-1472, and CVE-2021-20016, enforce multi-factor authentication on VPNs, and maintain offline backups. Deploy endpoint detection rules for vssadmin and wmic deletion attempts, and monitor for anomalous SMB or RDP connections from external IPs (MITRE ATT&CK D3FEND D3-VPP).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.