A ransomware called Ransom X or RansomExx in related to human-operated attacks against government agencies and other enterprises.
The 2020 Ransom X Attacks in Texas
May of 2020 was not a good month for Texas as both the Texas Courts and the Texas Department of Transportation saw several ransomware attacks. At the time of these attacks, it was not yet known which ransomware targeted these government agencies. It is now known that Ransom X hit the Texas Department of Transportation.
Japanese tech giant Konica Minolta was also hit by Ransom X and suffered service outages. The incident occurred in August, and news of the attack quickly surfaced online after the customers noticed website outages. The outage lasted about a week, with no immediate update from the company to customers. All that they did initially was post an outage message with a link to a support document asking their customers to perform a reset.
Examining Ransom X
Ransom X’s name is derived from the ‘ransom.exx’ string in the executable. It is thought to be a human-operated ransomware, rather than one distributed via phishing or malware. When initiated, the ransomware opens a console that displays information to the attacker while it is running.
According to reports, RansomExx terminates 289 processes related to security software, database servers, MSP software, remote access tools, and mail servers.
Strangely, the infection bypasses 3 folders that some experts theorize are being used to store the ransomware executable and other utilities used during an attack. These folders are: crypt_detect, cryptolocker and ransomware.
By bypassing these folders, attackers can encrypt the computer while also attacking other computers on the network without the fear of their tools becoming encrypted.
Text on Screen:
Ransom X will also:
- Clear Windows event logs
- Disable System Restore
- Disable the Windows Recovery Environment
- Delete the Windows backup catalogs
- Wipe free space from local drives
Due to the scarcity of information about this ransomware operation, there is little known regarding the ransom amounts requested or whether they steal data as part of the attack. At the moment, a free working decryptor is not available
If you are still having trouble, consider contacting remote technical support options.
