ClickCease RansomExx malware offers new features to bypass detection

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

RansomExx malware offers new features to bypass detection

Obanla Opeyemi

December 5, 2022 - TuxCare expert team

The APT group DefrayX has launched a new version of its RansomExx malware known as RansomExx2, a variant for Linux rewritten in the Rust programming language, possibly to avoid detection by antivirus software because Rust benefits from lower AV detection rates compared to those written in more common languages, according to IBM Security X-Force Threat researchers.

Rust has the advantage of being platform-agnostic, in addition to being harder to detect and reverse-engineer. As a result, while the new version of RansomExx runs on Linux, IBM predicts that a Windows version will be available soon, assuming it isn’t already loose and undetected.

RansomExx is a ransomware family that has been active since 2018. It is also known as Defray777 and Ransom X. Since then, it has been linked to a number of attacks on government agencies, manufacturers, and other high-profile entities such as Embraer and GIGABYTE.

RansomExx2 works in the same way as its C++ predecessor, and it accepts a list of target directories to encrypt as command line input. When run, the ransomware recursively traverses each of the specified directories, enumerating and encrypting the files with the AES-256 algorithm.

As input, the ransomware expects to be given a list of directory paths to encrypt. It does not encrypt anything if no arguments are passed to it. The ransomware requires the following command line format in order to execute properly.

When the ransomware is executed, it propagates through the designated directories, identifying and encrypting files. Except for the ransom notes and previously encrypted files, all files greater than or equal to 40 bytes are encrypted.

Each encrypted file gets its own file extension. RansomExx ransomware file extensions are frequently based on a variant of the target company name, sometimes followed by numbers such as ‘911’ or random characters.

IBM reported that one sample that it analyzed “was not detected as malicious in the VirusTotal platform for at least 2 weeks after its initial submission” and that “the new sample is still only detected by 14 out of the 60+ AV providers represented in the platform.”

The sources for this piece includes an article in DarkReading.

RansomExx malware offers new features to bypass detection
Article Name
RansomExx malware offers new features to bypass detection
The APT group DefrayX has launched a new version of its RansomExx malware known as RansomExx2 rewritten in the Rust programming language.
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Related Articles

How GPT models can be...

According to CyberArk researchers, GPT-based models like ChatGPT can be...

January 30, 2023

Attackers actively exploit Unpatched Control...

Malicious hackers have started exploiting a critical vulnerability CVE-2022-44877 in...

January 27, 2023

Attackers distribute malware via malicious...

Deep Instinct researchers reported that RATs like StrRAT and Ratty...

January 26, 2023

CircleCI partners AWS to identify...

According to CircleCI’s CTO, Rob Zuber, CircleCI is working with...

January 25, 2023

Cisco warns of authentication bypass...

A remote attacker could exploit multiple vulnerabilities in four Cisco...

January 24, 2023

IceID malware infiltrates Active Directory...

In a notable IcedID malware attack, the assailant impacted the...

January 23, 2023