RansomEXX (Defray777) Ransomware Group: Dark Web Data Leaks Case Study

The evolution of targeted cyber extortion has seen financially motivated groups transition into highly structured syndicates that operate with the efficiency of legitimate enterprises. Among these, the RansomEXX Ransomware Group (also tracked under the aliases Sprite Spider and Gold Dupont) represents a highly sophisticated, multi-platform threat. Emerging initially in 2017 as a localized operation, the group pioneered double-extortion tactics and "Hypervisor Jackpotting" the direct targeting and encryption of host hypervisors like VMware ESXi.

This case study provides a technical and operational analysis of the RansomEXX group, outlining its background, attack lifecycle, technical mechanics, and leak site strategies.

Threat Actor Background & Evolution

The development of the RansomEXX toolset demonstrates a continuous effort to bypass automated security boundaries. The syndicate first appeared in August 2017 under the moniker "Defray," carrying out low-volume, highly targeted spear-phishing campaigns against specific enterprise targets. These early campaigns relied on macro-enabled Microsoft Word attachments to deliver C++ payloads directly to disk, requiring considerable user interaction and social engineering to establish a foothold.

By 2018, the threat group modernized its codebase, transitioning to the "Defray777" variant. During this phase, the group integrated modular remote access tools and memory-only loaders. They deployed the PyXie RAT and the Vatet Loader, enabling reflectively loaded, fileless execution that bypassed signature-based endpoint scanners. This allowed the group to establish long-term persistence and conduct internal reconnaissance prior to executing any cryptographic payloads.

In mid-2020, the syndicate rebranded the operation as "RansomEXX," a name derived from the prominent string ransom.exx discovered within their compiled binaries. Alongside this rebrand, the group shifted to Big Game Hunting (BGH), targeting large public institutions, critical infrastructure providers, and high-revenue corporations. They also launched their first dark web leak site, introducing double-extortion practices by threatening to publish stolen data if the ransom was not met

 A major turning point occurred in late 2020 when the group introduced a Linux ELF variant of their ransomware, compiled under the name svc-new. This made RansomEXX one of the first major operations to systematically target VMware ESXi host hypervisors. By accessing the virtualization layer rather than individual guest operating systems, the group could stop and encrypt dozens of virtual servers simultaneously, drastically accelerating their operational speed.

In late 2022, the group launched "RansomExx2," a complete rewrite of the ransomware payload in the Rust programming language. This shift was primarily motivated by defense evasion; Rust-compiled binaries alter the executable's signature, complicate static analysis, and strip runtime metadata, yielding lower antivirus detection rates. Despite these architectural changes, the cryptographic logic and target directory scanning rules remained consistent with the legacy C++ variants.

Timeline of Major Activities

The operational trajectory of RansomEXX is defined by a steady increase in target size and technical sophistication.

Dark Web Presence Analysis

The RansomEXX dark web presence serves as the primary mechanism for applying pressure during double-extortion campaigns. Operating on a Tor hidden service domain, the group's "RansomEXX v2" portal functions as a structured public disclosures directory.

The portal's visual architecture, as shown in the provided screenshot, is designed to mirror a legitimate corporate press page. It features a simplified, modern layout with dedicated and directories on the right sidebar. The group uses PGP keys to sign communications, allowing victims and negotiators to verify the identity of the operators and prevent third-party interception or spoofing.

Below these system directories, the portal displays a global country-tagging sidebar:

#usa #italy #uk #taiwan #brazil #germany #india #japan #uae #france #indonesia #spain #canada #venezuela #mexico #peru #kenya #qatar #trinidad and tobago #portugal #colombia #slovenia #malaysia #jamaica #saudi #ecuador #argentina #chile #hongkong #australia

This sidebar serves as an index, allowing data brokers and competitors to sort stolen data by country, which increases the pressure on compromised organizations. The main body of the leak portal lists non-compliant victims with specific data metrics, dates, and descriptions:

• SOGO Auction (Japan): Listed on Friday, April 17, 2026, with 951MB of leaked data. The listing describes the victim as a prominent Japan-based specialized auctioneer with over 30 years of experience in used construction machinery.

• GoTip (Japan): Listed on Thursday, April 16, 2026, with 1.13GB of leaked data. The listing describes GoTip as a Japanese live-streaming enhancement tool connecting digital tips to physical Bluetooth-enabled devices.

• ADDA (adda.io): Listed on Friday, March 7, 2025, with tags #usa #uae #india. The group claims to have compromised the residential community management SaaS platform, leaking 12 million resident, visitor, and staff records.

• 
  

The group's disclosure strategy is systematic. When a victim refuses to negotiate, their profile is published alongside a detailed description of their business model and the volume of stolen data. Rather than releasing the entire database at once, RansomEXX operators often publish a small proof-of-compromise folder. If the victim remains non-compliant, subsequent tranches are published over several weeks, prolonging public exposure and increasing regulatory risk.

Attack Lifecycle: How RansomEXX Compromises Organizations

RansomEXX operations are human-operated and manually executed once access is established, rather than relying on automated propagation.

1. Initial Access

The operators establish initial entry using three primary vectors:

• Spear-Phishing: Custom phishing emails carrying malicious attachments (such as macro-enabled Word documents) to deploy initial banking trojans or loaders.

• Vulnerability Exploitation: Exploiting unpatched vulnerabilities in edge systems, remote access points, or software development servers. A notable example is the exploit of the Jenkins Command Line Interface vulnerability (CVE-2024-23897) to gain secure shell (SSH) access to Brontoo Technology Solutions by reading private keys through an unauthenticated file-read flaw.

• Credential Compromise: Purchasing or brute-forcing Remote Desktop Protocol (RDP) or Virtual Private Network (VPN) credentials.

2. Persistence and Defense Evasion

Once inside, the threat actors establish redundant backdoors:

• Reflective Memory Loading: In Windows environments, the RansomEXX DLL payload is often loaded directly into system memory using custom loaders (like Vatet), avoiding writing executable files to disk and evading file-based Endpoint Detection and Response (EDR) agents.

• Legitimate Admin Tool Abuse: The operators install remote monitoring and management (RMM) software, such as DattoRMM, to maintain persistent access under the guise of normal administrative activity.

• Service Termination: The malware actively terminates local security services, endpoint defense agents, database systems, and backup engines to prevent them from blocking the encryption process.

3. Lateral Movement and Privilege Escalation

With initial systems compromised, the actors expand control:

• Credential Harvesting: Running Mimikatz and PyXie's LaZagne module to extract administrative passwords and active session tokens from LSASS memory and browser databases.

• Domain Control: Moving laterally via Server Message Block (SMB) administration shares and targeting Active Directory Domain Controllers to obtain domain-wide administrative privileges.

4. Data Exfiltration

Prior to encryption, the actors locate and stage high-value assets :

• Data Staging: Gathering financial ledgers, employee records, NDA documents, and intellectual property into compressed archives.

• Upload to C2: Uploading these staged files to attacker-controlled cloud storage accounts using tools like RClone or FTP.

5. Encryption & Extortion

For virtualized infrastructures, RansomEXX carries out "Hypervisor Jackpotting" to maximize leverage :

• vCenter Access: The actors harvest credentials from browser databases or system memory to authenticate to the VMware vCenter centralized management interface.

• SSH Enabling: Once authenticated, they enable SSH on target ESXi hosts for direct console access.

• Payload Deployment: They write the Linux version of RansomEXX (typically named svc-new or similar) to the host's /tmp directory, masquerading as a system daemon.

• Virtual Machine Termination: Using commands like esxcli vm process list and esxcli vm process kill, they terminate running virtual machines. This unlocks active virtual disk files (.vmdk and .vswp), making them accessible for encryption.

• Cryptographic Locking: The ELF binary runs recursively through /vmfs/volumes/ to encrypt the underlying virtual machine storage, taking down entire corporate networks in a single execution.

MITRE ATT&CK Mapping

The tactical behaviors observed in RansomEXX campaigns are mapped to the MITRE ATT&CK framework below.

Malware Technical Analysis & Cryptography

The cryptographic design of RansomEXX utilizes a hybrid encryption model combining symmetric speed with asymmetric key distribution.

The Cryptographic Workflow

If $M$ represents the plain-text file data, and $K_{sym}$ is the symmetric key randomly generated using $AES\text{-}256$, the ciphertext $C$ is computed as:

$$C=E_{K_{sym}}(M)$$

The symmetric session key is then secured via asymmetric encryption using an embedded 4096-bit Rivest-Shamir-Adleman (RSA-4096) public key ($K_{pub}$) unique to each target organization :

$$K_{enc}=E_{K_{pub}}(K_{sym})$$

This encrypted symmetric key ($K_{enc}$) is appended directly to the footer of the encrypted file along with a metadata header. Decryption of the files is cryptographically impossible without the corresponding RSA-4096 private key, which is held on the actors' secure negotiation servers.

Execution Parameters

In early Windows builds, the ransomware executed directly in memory without command-line triggers. However, the Rust-compiled RansomExx2 Linux/ESXi variants require specific command-line arguments to execute :

./ransomexx2_sample --do <target_directory_path>

If the binary is launched without the --do flag, it exits immediately without modifying files. This design prevents the malware from executing inside automated sandboxes that run samples without explicit command-line triggers. To further evade detection, configurations like the public RSA key, file extension, and ransom note name are stored XOR-encrypted within the binary, only decrypting in memory during execution.

Active Recovery Invalidation

To prevent system restoration, RansomEXX executes several native Windows utility commands post-encryption to destroy backup systems and log files :

:: Delete the Update Sequence Number (USN) change journal on Drive C:

"C:\Windows\System32\fsutil.exe" usn deletejournal /D C:

:: Delete the local Windows backup catalog

"C:\Windows\System32\wbadmin.exe" delete catalog -quiet

:: Terminate Volume Shadow Copies to block system restores

"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet

:: Disable the Windows recovery environment and boot failure repair screens

"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures

"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no

:: Disable and clear major event log repositories

"C:\Windows\System32\wevtutil.exe" sl Security /e:false

"C:\Windows\System32\wevtutil.exe" cl Setup

"C:\Windows\System32\wevtutil.exe" cl System

"C:\Windows\System32\wevtutil.exe" cl Application

"C:\Windows\System32\wevtutil.exe" cl Security

:: Disable the System Restore scheduled tasks

"C:\Windows\System32\schtasks.exe" /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable

:: Overwrite deleted space on the primary partition to prevent forensic recovery

"C:\Windows\System32\cipher.exe" /w:C:

Victimology & Target Analysis

RansomEXX campaigns focus on Big Game Hunting (BGH), targeting organizations with high financial stakes, low tolerance for operational downtime, and complex supply chain networks.

Industry Targeting

The group's target profile centers on critical sectors:

• Manufacturing: Particularly target-rich due to the immediate, high financial cost of assembly line or production halts (e.g., Embraer, Gigabyte).

• Healthcare: Selected due to the urgent operational pressure to restore critical care systems, making them highly susceptible to extortion.

• Government & Utilities: Public sector networks often suffer from unpatched legacy equipment and slow incident response, making them accessible targets.

• Finance & Fintech: Compromising clearing gateways or partner networks allows the group to pressure entire regional banking infrastructures.

Geographic Targeting

The country tags on the RansomEXX leak portal confirm a global operational reach. While early campaigns focused primarily on North American targets, their operational footprint now spans South America, Europe, the Middle East, and East Asia, adjusting their delivery mechanisms to match the language and systems of the target region.

Data Leak Patterns & Extortion Strategy

The RansomEXX business model relies on a double-extortion framework. Under this model, the group uses exfiltrated data as alternative leverage. If a targeted enterprise can restore its files from secure offline backups, the threat of exposing confidential data acts as a second point of pressure to force payment.

                [ Compromised Network ]

            │

            ┌──────────────┴──────────────┐

            ▼ ▼

           [ Hybrid Encryption ]

            │ │

            ▼ ▼

   "Pay to prevent leak" "Pay to decrypt files"

            │ │

            └──────────────┬──────────────┘

             ▼

The exfiltrated data generally falls into highly sensitive categories:

• Proprietary Intellectual Property: CAD schematics, source code, and repair manuals.

• Employee and Customer PII: Scanned passports, national IDs, and salary files.

• Financial Ledgers: Audit records, bank transaction logs, and corporate tax filings.

• Partnership NDAs: Business contracts and technology sharing agreements.

Notable RansomEXX Campaigns / Major Victims

Several high-profile intrusions illustrate the scale and impact of RansomEXX operations.

Texas Department of Transportation (TxDOT)

• Date: June 2020

• Sector: Government / Transportation

• Summary: Threat actors breached the department's administrative network, deploying legacy C++ Windows payloads across regional offices.

• Impact: The incident disrupted local administrative terminals, halting road scheduling and engineering communications.

• Lessons: While core engineering systems were isolated and remained safe, the attack demonstrated the vulnerability of state transportation infrastructure to targeted ransomware campaigns.

Lazio Region COVID-19 Vaccination Portal (Italy)

• Date: August 1, 2021

• Sector: Public Healthcare / Government

• Summary: Attackers compromised administrative credentials belonging to an employee of LazioCrea—the managed services provider for the region's IT infrastructure. Accessing the network via a VPN that lacked multi-factor authentication, the actors compromised the virtualized application layer.

• Impact: The ransomware encrypted virtual servers, halting new vaccine bookings for several days. LazioCrea was forced to shut down all server systems due to a lack of network segmentation, which prevented them from isolating the compromised hosts.

• Lessons: The Italian Data Protection Authority later fined LazioCrea €271,000 and the Lazio Region €120,000 for failing to implement network segmentation and multi-factor authentication, highlighting the legal and regulatory risks of insecure configurations.

Embraer (Aircraft Manufacturer)

• Date: November 2020

• Sector: Aerospace Manufacturing

• Summary: Attackers compromised the internal corporate network, exfiltrating proprietary files before deploying the cryptographic payload.

• Impact: Embraer refused to pay the ransom, successfully restoring its systems from offline backups.

• Lessons: In response, the threat group published proprietary engineering schematics and customer records on their Tor leak site, demonstrating their willingness to carry out data leaks when ransom demands are rejected.

Brontoo Technology Solutions / C-Edge Technologies (India)

• Date: July 2024

• Sector: Financial Technology

• Summary: Attackers exploited CVE-2024-23897, an arbitrary file-read vulnerability on a misconfigured Jenkins server at Brontoo Technology Solutions, a collaborator with C-Edge Technologies. This allowed the threat actors to read private SSH keys and gain initial access.

• Impact: C-Edge Technologies, which provides core banking solutions to cooperative and regional rural banks, was isolated from retail payment systems to contain the infection. The incident disrupted retail transactions, UPI payments, and ATM withdrawals across more than 200 banks in India.

• Lessons: This incident showed how a vulnerability in a third-party development environment can cause widespread, cascading disruptions across a country's financial sector.

Indicators of Compromise (IOC)

These Indicators of Compromise are compiled from observed RansomEXX campaigns and technical analysis.

File Indicators

The SHA1 and SHA256 hashes below are associated with malicious loaders, active DLLs, and compiled binaries of RansomEXX.

Network Indicators

These network artifacts are associated with RansomEXX command-and-control communication, exfiltration operations, and dark web portals.

Detection Opportunities

Detecting RansomEXX operations requires focusing on early-stage administrative abuse and file system modifications before the final payload is deployed.

Behavioral Indicators and SIEM Rules

SOC teams can identify these activities by monitoring for specific system events:

1. Shadow Copy Deletion (Event ID 4688)

• Behavior: Deleting Volume Shadow Copies prevents local recovery options.

• Sigma Rule Logic: Monitor for process execution where Image ends with \vssadmin.exe or \wmic.exe and the command-line string contains the arguments delete and shadows.

2. Event Log Clearing (Event ID 1102 / 104)

• Behavior: RansomEXX attempts to cover its tracks by clearing system security event logs.

• SIEM Detection: Trigger an alert when Event ID 1102 ("The audit log was cleared") is generated, or if wevtutil.exe is executed with command arguments containing cl or clear.

3. Windows Recovery Invalidation (Event ID 4688)

• Behavior: Invalidation of default boot status policies to prevent system-level recovery.

• SIEM Detection: Monitor for bcdedit.exe execution where command arguments contain /set in conjunction with recoveryenabled no or bootstatuspolicy ignoreallfailures.

4. Fileless DLL Injection (Event ID 8 / Sysmon)

• Behavior: Reflectively loading dynamic-link libraries directly into system memory.

• EDR Detection: Monitor for Sysmon Event ID 8 ("CreateRemoteThread") targeting critical system processes (e.g., lsass.exe, explorer.exe, or svchost.exe) originating from unsigned binaries or temporary administrative paths.

Defensive Recommendations

Defending against RansomEXX requires a layered security framework that combines proactive prevention, automated endpoint detection, and robust backup strategies.

1. Prevention

• Enforce Multi-Factor Authentication (MFA): Mandate MFA across all remote access channels, including corporate VPNs, cloud portals, and administrative dashboards, to prevent credential stuffing exploits.

• Vulnerability Patching: Maintain a strict patch schedule for all public-facing systems, developer tools, and virtualization interfaces, prioritizing patches for unpatched remote code execution flaws.

• Network Segmentation: Segment internal networks to separate administrative systems, backup directories, production hypervisors, and user endpoints, preventing lateral movement.

• Secure VMware ESXi Environments:

• Enable UEFI Secure Boot and the execInstalledOnly enforcement flags on all ESXi hosts to prevent the execution of unsigned binaries (like the RansomEXX ELF payload) from temporary directories like /tmp.

• Disable Service Location Protocol (SLP) support if not needed to mitigate known hypervisor vulnerabilities.

2. Detection

• Deploy EDR and XDR Platforms: Implement Endpoint Detection and Response (EDR) agents to automatically identify, block, and rollback suspicious behaviors, such as registry manipulation, shadow copy deletion, and memory injection.

• Implement Centralized Tamper-Proof Logging: Forward critical event logs to a separate, write-once centralized log server. This ensures forensic evidence remains available even if local host logs are cleared.

3. Response and Recovery

• Maintain Immutable Offline Backups: Store regular, full system backups in an isolated, offline location that is physically separated from the corporate network. This ensures that the backups cannot be discovered and encrypted by active ransomware payloads.

• Develop an Incident Response Plan: Establish and regularly test an incident response plan. This plan should outline clear isolation protocols, communication channels, and technical roles to contain threats and minimize downtime during a compromise.

Key Takeaways

The RansomEXX Ransomware Group has demonstrated significant adaptability, transitioning from targeted spear-phishing campaigns to a highly capable, multi-platform threat. By expanding its targeting to Linux architectures and VMware ESXi hypervisors, the group pioneered highly effective hypervisor-level extortion techniques.

Their transition to Rust-compiled payloads further demonstrates a commitment to bypassing traditional EDR boundaries. Defending against this threat requires more than relying on traditional signature-based security tools. To mitigate this risk, organizations must implement a multi-layered security framework, combining multi-factor authentication, robust network segmentation, centralized logging, and secure offline backups.