Ransom X (AKA Defray777, Ransom.exx, or RansomExx) is a ransomware tool that has been observed in attacks against US government agencies.
When Ransom X is run it initially terminates a range of processes including security software, remote administration tools and database servers. It then takes further steps to obstruct recovery attempts including clearing Windows event logs, deleting NTFS journals, disabling System Restore and the Windows Recovery Environment, deleting Windows backup catalogues and wiping free space on local storage.
When Ransom X encrypts data it appends a custom extension associated with the victim to affected filenames. A ransom note named ![extension]_READ_ME!.txt is saved in each encrypted directory. This note includes the victim organisation name, an email address to contact, and instructions on how to pay the ransom. While running, Ransom X displays an on-screen console with information about the encryption process.
The threat actor controlling Ransom X has recently been observed exploiting vulnerabilities in VMWare ESXi to shut down virtual machines and encrypt virtual storage devices directly on the hypervisor. Once initial access has been gained to a network, malicious Service Location Protocol (SLP) messages are sent to take control of the ESXi device.
VMWare ESXi administrators should ensure that all recent security updates have been applied. Service Location Protocol (SLP) may also be disabled to help prevent a successful attack, if not required.
- VMWare ESXi: versions prior to ESXi70U1a-17119627 / ESXi670-202011301-SG / ESXi650-202011401-SG / Cloud Foundation 18.104.22.168 / Cloud Foundation 22.214.171.124
- Microsoft Windows: all versions
- Linux: most major distributions