Malware Profile Updated 3 months ago
Download STIX
Preview STIX
RansomExx2 is a newly discovered variant of the RansomExx malware, designed to target Linux operating systems and exploit vulnerable ESXi servers. This strain has been identified through its distinctive MD5 hash 377C6292E0852AFEB4BD22CA78000685 and is recognized as a Linux executable written in the Rust programming language. It is part of a growing trend of ransomware developers releasing Rust versions of their malware, with other examples including BlackCat, Hive, and Zeon. Despite being completely rewritten in Rust, RansomExx2 maintains similar functionality to its C++ predecessor. The naming of this new variant is based on strings found within the ransomware itself and is corroborated by updates to the ransomware group's website. The page title of the group’s website has been updated to ‘ransomexx2', further solidifying the identity of this new threat. Source code path strings within the binary also indicate that this ransomware is a derivative of the original RansomExx, hence the name RansomExx2. At this time, it remains unclear whether the attacks orchestrated using RansomExx2 are conducted by the same threat actors involved in the ESXiArgs campaign. This uncertainty adds another layer of complexity to the challenge of combating this new strain. As RansomExx2 continues to pose a significant threat to Linux machines and ESXi servers, ongoing vigilance and robust cybersecurity measures are essential to mitigate potential damage.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Zeon, a known threat actor in the cybersecurity landscape, has been linked to several high-profile ransomware attacks. It was instrumental in crypting SVCReady and CargoBay loaders, observed in Quantum and Royal ransomware attacks respectively. Zeon has also employed third-party ransomware such as B
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Hive is a malicious software, or malware, that infiltrates systems to exploit and damage them. This malware has been associated with Volt Typhoon, who exfiltrated NTDS.dit and SYSTEM registry hive to crack passwords offline. The Hive operation was primarily involved in port scanning, credential thef
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
AlphV, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. This group has been involved in numerous high-profile attacks, including stealing 5TB of data from Morrison Community Hospital and compromising Clarion, a global manufacturer of audio and video equipment for car
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Ransomexx2 Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
a year ago
ESXiArgs Ransomware Campaign Facilitated by Exploiting VMware Vulnerability
a year ago
RansomExx Upgrades to Rust