RansomExx
RansomExx is a human-operated ransomware family and operation, active since 2018 and widely reported as a rebranded version of Defray777 that became significantly more active from June 2020 onward. It has been associated with the threat group GOLD DUPONT, and Microsoft tracks related operator activity as Storm-2460 in more recent reporting. RansomExx has been linked to high-profile attacks against large organizations and government entities, including Brazil government networks, the Texas Department of Transportation, Konica Minolta, IPG Photonics, Tyler Technologies, and the French health insurer MNH. Reported victim geographies include the United States, Canada, and Brazil.
The malware is used in double-extortion style intrusions: operators compromise victim networks, harvest unencrypted files for extortion, obtain administrator credentials, and then deploy ransomware broadly across the environment. Observed initial access and intrusion tooling includes phishing emails with password-protected ZIP archives containing malicious macro-enabled Word documents, IcedID as an initial access vector, Vatet loader for payload delivery, and Pyxie plus Cobalt Strike for post-compromise activity. Trend Micro reported an intrusion chain progressing from initial access to ransomware deployment in about five hours, with lateral movement observed over SMB.
RansomExx also has a Linux variant. Reporting describes a 64-bit ELF sample targeting Linux servers and VMware-related environments, especially systems serving as storage for VMware files. The Linux variant performs multi-threaded encryption, uses mbedtls to generate AES keys, encrypts those keys with a hardcoded RSA-4096 public key, and requires a target directory as a command-line argument to begin recursive encryption and ransom note creation. RansomExx is also specifically noted as capable of encrypting files on VMware ESXi shared virtual hard drives, and it has been listed among notable Linux malware.
For defense evasion, RansomExx has been observed disabling Windows Security logs after encryption using wevtutil, and it is cited in ATT&CK-related reporting for disabling Windows event logging. More recent reporting links RansomExx/Storm-2460 to use of the modular backdoor PipeMagic. PipeMagic has been observed beaconing to a known RansomExx domain and has been associated with fake ChatGPT-themed lures, remote access, data theft, and follow-on ransomware activity. ReliaQuest and other reporting also tied RansomExx-linked activity to exploitation of SAP NetWeaver vulnerabilities CVE-2025-31324 and CVE-2025-42999, with web-shell deployment, PipeMagic delivery, attempted Brute Ratel C2 deployment via inline MSBuild task execution, and attempted exploitation of the Windows CLFS privilege-escalation vulnerability CVE-2025-29824. In the observed SAP NetWeaver incidents, reporting stated no ransomware payloads were successfully deployed.
Known operational characteristics directly mentioned in the source material include Tor-based ransom negotiation infrastructure, use of ProtonMail for negotiations in at least one case, test decryption offers, theft of unencrypted files for leverage, deployment after administrator-level access is obtained, Windows log disabling via wevtutil, Linux/ESXi targeting, and association with PipeMagic in recent campaigns.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
4 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Ransomware groups and Chinese advanced persistent threat (APT) groups are targeting a critical vulnerability in SAP NetWeaver... The vulnerability, tracked as CVE-2025-31324, has a CVSS score of 10 and affects NetWeaver's Visual Composer development server. Threat actors can exploit the vulnerability using remote attacks to execute arbitrary code without authentication... SAP later confirmed it as an unrestricted file upload vulnerability... allowing attackers to upload malicious files directly to the system without authorization.
Kaspersky said in a new blog post on Monday that it saw PipeMagic used alongside a RansomExx ransomware campaign. | Researchers at ESET discovered the corresponding zero-day — tracked as CVE-2025-29824 — in March. The bug impacts Windows Common Log File System Driver (CFLS)... “Once PipeMagic is running, the threat actor performs the CLFS exploit to escalate privileges before launching their ransomware,” Microsoft said.
ReliaQuest ... uncovered evidence suggesting involvement from the BianLian data extortion crew and the RansomExx ransomware family, which is traced by Microsoft under the moniker Storm-2460.
Back in January, the Jenkins team revealed a command line interface (CLI) path traversal vulnerability that could allow unauthorized attackers to read arbitrary files on its controller file system... Labeled CVE-2024-23897... And it remains under active exploitation today, according to ... CISA ... added the flaw to its Known Exploited Vulnerabilities (KEV) catalog.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Later in 2023, the same organization was targeted by the GOLD DUPONT threat group, which distributes the RansomExx ransomware.
ReliaQuest revealed that the RansomEXX and BianLian ransomware operations have also joined these attacks, although no ransomware payloads were successfully deployed.
Techniques & procedures
6 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesAfter gaining access to an administrator password, they deploy the ransomware on the network and encrypt all of its devices.
“flagged as a phishing email with an attached password-protected ZIP file, which is actually a Word document … with a malicious macro… lures users into enabling macro content”
Persistence
1 techniquePrivilege Escalation
1 techniqueStealth
2 techniques“Vatet loader decrypts a file … config.dat using an XOR-based method… injects … and then executes the payload”
Collection
1 techniqueLike other human-operated ransomware operations, RansomExx will compromise a network and begin harvesting unencrypted files for their extortion attempts.
Impact
1 techniqueAn increasing number of ransomware operations are adopting the leaked Babuk ransomware source code to create Linux encryptors targeting VMware ESXi servers.
Other
1 techniqueIOCs tracked for this family
7 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
19 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware family associated with attacks leveraging PipeMagic as part of the deployment chain (per summary).
A ransomware family mentioned for comparison in a later intrusion against the same organization previously targeted with LockBit.
Ransomware associated in the reference with use of wevtutil.exe to disable Windows event logs for defense evasion.
Ransomware family observed in campaigns where PipeMagic is used as a supporting tool for access and deployment.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.