RansomEXX recently gained notoriety due to its attack on Gigabyte, a well-known hardware manufacturer from Taiwan and an attack against Italy’s Lazio Region. The result of the first attack was the theft of 112GB of business data, and the second crippled the national COVID-19 Vaccination Registration Portal for 6 million people. Though it initially started out targeting Windows operating systems, RansomEXX has been seen targeting Linux servers via a separate Linux variant.
While RansomEXX has remained relatively low-profile over the past few years, its latest activities point to its potential resurgence now.
Analyzing RansomEXX IBM Security ReaQta’s analysis of RansomEXX found that – like most human-operated ransomware operations – RansomEXX breaches networks and organizations through emails, Spear Phishing, Bruteforce Remote Desktop Protocol (RDP) or stolen credentials.
Upon execution, RansomEXX encrypts files on the victim’s machine, thereafter disabling file recovery and system restore, leaving a ransom note on the victim’s machine.
(RansomEXX ransom note)
In some instances, RansomEXX operators have also made use of a double extortion method post-hit by threatening to leak victims’ data publicly if payment was not received.
(ReaQta’s Behavioral Tree showing the RansomEXX ransomware)
Within seconds of an infection, IBM Security ReaQta gathers pertinent information to reconstruct the breach. At a glance, analysts are enabled to swiftly identify associated malicious behaviors and techniques applied by attackers and address the entire infection – including complete remediation and clean-ups.
Attack information is also mapped against the MITRE ATT&CK cyber kill chain framework, so that analysts can easily understand the current stage of a compromise.
(RansomEXX is automatically stopped by ReaQta within seconds)
With ReaQta’s real-time protection capabilities, threats like ransomware are automatically detected and stopped, preventing organizations from becoming the next victim of a ransomware attack.
In the case of RansomEXX, ReaQta was effective within seconds, effectively mitigating hits that would have otherwise led to costly damages and sensitive data exfiltration. In addition to stopping the threat, ReaQta’s AI automatically terminates all malicious processes involved in the incident, thereafter closing off the alert and reducing extra actions needed to be taken by the security team.
AI & ML-powered solutions needed to stay ahead of attackersConsidering the rise of ransomware attacks, solutions that augment behavioral detection capabilities are increasingly becoming a necessity to detect and stop zero day and unknown threats that range from ransomware to file-less and in-memory attacks.
Behavioral solutions, together with proactive threat hunting capabilities, are starting to become the centerpiece of any organization’s security strategy. This ensures that no dormant or hidden threats are allowed to lurk within your infrastructure.
Relying on traditional protection methods alone today may no longer suffice, as visibility is limited, which increases the risks of a cyber breach.
Using unmatched levels of automation, AI & Machine Learning, ReaQta autonomously detects ransomware behavior and actively handles the threat as they unfold so that organizations can stay protected against ransomware.
ReaQta’s recommendations
- Cybersecurity awareness is imperative. Employees are the first line of defense, but they are also the most vulnerable. Organizations should make sure that employees are properly trained to flag anything that is potentially suspicious. All staff should be equipped to identify and flag possible phishing emails and be aware of how various business scams work.
- Enable 2-Factor Authentication(2FA)/ Multi-factor Authentication (MFA) as this protects your mails, cloud documents and VPN accesses. What is becoming increasingly obvious is that most attacks start off via email. This is a low-cost option that is highly effective. For those leveraging Microsoft O365 or other platforms, do follow best practices guides that are readily available. This will strengthen the overall security posture of your organization.
- Ensure that Ransomware Behavior Protection policy is enabled. This will help prevent interruptions to your business.
- Constantly test your defenses. Do not just focus on implementing security measures, but ensure that the entire process works from early detection to incident response. Should there be a lack of resources to provide for consistent threat monitoring and mitigation, IBM Security ReaQta Essential MDR provides 24/7 round the clock security monitoring and will provide an immediate response when a new potential threat is being discovered.
To learn about how organizations can stay protected against constantly emerging threats like ransomware, read more
here.