Ransomware profile: RansomExx


RansomExx is a human-operated ransomware that prevents users from accessing infected systems and threatens to publish stolen data unless a ransom is paid. It has been involved in a number of attacks on major corporations and government agencies since it was first observed in 2018. RansomExx is notable for being one of the few ransomware groups that targets both Windows and Linux environments.  

What is RansomExx? 

RansomExx, sometimes referred to as Defray777 and Ransom X, is a ransomware variant that encrypts files and demands a large sum of cryptocurrency for their decryption.  

As with many other contemporary ransomware families, RansomExx incidents typically involve a data theft component. Prior to encryption, data on compromised systems is exfiltrated to attacker-controlled servers and used as additional leverage to coerce victims into paying the ransom. Failure to pay the ransom results in the stolen data being published on RansomExx’s leak site.  

The history of RansomExx 

RansomExx first emerged in 2018 under the name “Defray”. The group remained relatively unknown for the first few years before shooting to infamy in mid-2020 following a spate of attacks on high-profile organizations, including the Texas Department of Transportation. Around this time, the ransomware operation was rebranded as RansomExx.  

RansomExx initially targeted only Windows systems. However, in July 2020, a new Linux variant of RansomExx was observed. Despite sharing many similarities with the original Windows variant, the Linux variant was not as sophisticated as its predecessor; it lacked command and control communication, anti-analysis techniques and the ability to terminate running processes (e.g. security software).  

In December 2020, RansomExx launched a dark web leak site where the group publishes the stolen data of victims who refuse to pay the ransom.  

Since RansomExx was first discovered, there have been 346 submissions to ID Ransomware, an online tool that helps the victims of ransomware identify which ransomware has encrypted their files. We estimate that only 25 percent of victims make a submission to ID Ransomware, which means there may have been a total of 1,384 RansomExx incidents since the ransomware’s inception.

RansomExx ransom note  

After the encryption process is complete, RansomExx drops a ransom note called in all infected directories. The note states that the victim’s files have been encrypted and provides instructions on how to communicate with the attackers. The note also offers to decrypt one encrypted file for free to prove the legitimacy of the attacker-provided decryptor.  

Below is a sample RansomExx ransom note:

Greetings, [Victim company]! 


Read this message CAREFULLY and contact someone from IT department. 

Your files are securely ENCRYPTED. 

No third party decryption software EXISTS. 

MODIFICATION or RENAMING encrypted files may cause decryption failure. 


You can send us an encrypted file (not greater than 400KB) and we will decrypt it FOR FREE, 

so you have no doubts in possibility to restore all files from all affected systems ANY TIME. 

Encrypted file SHOULD NOT contain sensitive information (technical, backups, databases, large documents). 

The rest of data will be available after the PAYMENT. 

Infrastructure rebuild will cost you MUCH more. 


Contact us ONLY if you officially represent the whole affected network. 

The ONLY attachments we accept are non archived encrypted files for test decryption. 

Speak ENGLISH when contacting us. 


Mail us: [REDACTED]@protonmail.com 

We kindly ask you not to use GMAIL, YAHOO or LIVE to contact us. 

The PRICE depends on how quickly you do it. 

Who does RansomExx target? 

RansomExx targets large organizations with the resources and motivation to pay large ransom demands, including enterprises and government agencies. RansomExx is one of a handful of ransomware strains that targets Linux-based systems as well as Windows systems. RansomExx is a global concern and has impacted organizations in North America, South America, Asia, Europe and Oceania.  

How does RansomExx spread? 

RansomExx attacks begin by breaching the target system, usually via compromised remote desktop protocol, phishing campaigns, exploiting known vulnerabilities or stolen credentials. After compromising the system, attackers will move laterally through the network, using a variety of post-compromise tools such as Pyxie, Cobalt Strike and Vatet to gain a stronger foothold. Data is exfiltrated to attacker-controlled servers before the ransomware executable is deployed. 

RansomExx is usually delivered as fileless malware. It is reflectively loaded and executed in memory without ever touching the hard drive, which can make it harder for security solutions to detect. Encrypted files are appended with a unique extension based on the name of the impacted organization.  

As RansomExx attacks are manually operated and highly targeted, the exact anatomy of an attack can vary from incident to incident.  

Major RansomExx attacks 

How to protect the network from RansomExx and other ransomware   

The following practices may help organizations reduce the risk of a RansomExx incident.

How to remove RansomExx and other ransomware     

RansomExx uses encryption methods that currently make it impossible to decrypt data without paying for an attacker-supplied decryption tool. 

Emsisoft Enterprise Security + EDR

Robust and proven endpoint security solution for organizations of all sizes. Start free trial

Victims of RansomExx should be prepared to restore their systems from backups, using processes that should be defined in the organization’s incident response plan. The following actions are recommended:

Senan Conrad

Senan Conrad

Senan specializes in giving readers insight into the constantly and rapidly changing world of cybersecurity. When he’s not tapping away at his keyboard, he enjoys drinking a good coffee or tinkering in his workshop.

What to read next