Security & Compliance Automation Platform
UnderDefense MAXI is the solution to day-to-day cybersecurity problems of IT leaders and teams. It builds your 24/7 business protection together with you on the driver’s seat.
UnderDefense MAXI Platform
UnderDefense Secures Top Honor at the 2025 Global Infosec Awards
We’re proud of being a winner at the 2025 Global Infosec Awards…
10-Point AWS Security Checklist for Executives
Quickly assess your cloud security posture with this executive-ready checklist covering IAM, monitoring, and compliance essentials.
Anti-Phishing Playbook
Your free PDF guide to spotting and stopping phishing attacks before they reach your team or data.
24/7 Threat Detection & MAXImum Responsiveness
Our human-led MDR service combines expert insight and automation and AI for fast, precise threat response. Get full context in 2 minutes and cut MTTC to 15, staying ahead of ransomware and other attacks.
Calculate your MDR price
Pay only for the services you actually need, with no hidden costs.
10-Point AWS Security Checklist for Executives
Quickly assess your cloud security posture with this executive-ready checklist covering IAM, monitoring, and compliance essentials.
Anti-Phishing Playbook
Your free PDF guide to spotting and stopping phishing attacks before they reach your team or data.
Spot threats faster and respond smarter than tools alone
24/7 MDR and SOC services led by award-winning security experts. We act as an extension to your team or as a fully remote team, providing detailed threat insights and actionable responses to secure your environment immediately.
UnderDefense is an AWS Partner
We’re excited to announce that UnderDefense is now an AWS partner and available on AWS Marketplace…
Managed SOC at Your Service
Augment your SOC with 24/7 monitoring, threat detection, and expert response—without the overhead. Integrated with your existing tools, our SOCaaS stops attacks before they cause harm.
Managed SIEM Pricing Guide
Download a clear, practical overview of Managed SIEM pricing, featuring detailed breakdowns by service type, pricing model, real-world pros and cons, and key cost factors.
Managed SOC at Your Service
Augment your SOC with 24/7 monitoring, threat detection, and expert response—without the overhead. Integrated with your existing tools, our SOCaaS stops attacks before they cause harm.
Managed SIEM Pricing Guide
Download a clear, practical overview of Managed SIEM pricing, featuring detailed breakdowns by service type, pricing model, real-world pros and cons, and key cost factors.
RansomEXX ransomware recovery team on standby
RansomEXX (also known as Defray777) has operated since 2018 as a targeted, human-operated ransomware linked to the GOLD DUPONT threat group, with confirmed attacks against Gigabyte, ADATA, and government agencies across multiple countries. Do not attempt decryption or containment alone — isolate affected systems immediately and engage UnderDefense's incident response team.
Average Mttc
Ransom-Free recovery rate
Avoided in ransom
Global availability
Systems restored
IR experts
Ransomware cases resolved
IR experience
Do NOT attempt any self-remediation, as it can trigger further encryption and destroy recovery points. Instead, follow these steps:
Contact us now for urgent ransomware response assistance, 24/7
Get Help Now
Accomplishments and recognitions, demonstrating our commitment to excellence and innovation.
Momentum Leader in MDR
Best Support in MDR & IR
Managed Detection and Response (MDR)
Top Cybersecurity Company 2025
Best Managed Detection and Response Service
#4 of 184 teams Splunk Boss of the SOC
Best Of Cybersecurity Awards for Q1 2025
AWS Partner
Splunk Manage Premier Partner
Like a crime scene, a ransomware attack must be preserved — tampering with encrypted files, attempting self-recovery, or engaging with attackers can destroy critical evidence and reduce your chances of recovery.
Taking the right steps in the first moments after a RansomEXX attack can make a huge difference and help you make a full recovery. Request 24/7 RansomEXX ransomware recovery services to decrypt your data and maximize your chances of restoring operations.
RansomEXX victims show IOCs including .ransomexx or victim-specific file extensions, ransom notes titled [victim_name]_MESSAGE.txt, evidence of reconnaissance and lateral movement via Cobalt Strike and Metasploit, and coordination with GOLD DUPONT threat group infrastructure. Watch for suspicious credential dumping, network enumeration activity, and data exfiltration prior to encryption. Both Windows and Linux systems may be targeted in same incident.
RansomEXX implements RSA-4096 for key exchange combined with AES-256 in CBC mode for file encryption. Each victim receives unique keys generated server-side. The malware demonstrates consistent encryption strength across Windows and Linux variants, indicating professional development and testing.
RansomEXX operates as a mature RaaS platform managed by GOLD DUPONT/Sprite Spider since 2018. The group conducts pre-attack reconnaissance to understand victim infrastructure before deployment. Comprehensive toolkit includes Cobalt Strike, Metasploit, credential dumping utilities, and lateral movement tools. Double extortion is standard: files encrypted while data is exfiltrated and listed on RansomEXX leak sites.
Primary leverage combines operational disruption across Windows and Linux systems with data publication threats. The group publishes victim data on dedicated leak sites and threatens competitive intelligence sharing or public disclosure. Targeting of critical infrastructure creates extreme pressure due to public safety implications and regulatory requirements. The group demonstrates willingness to conduct lengthy negotiations.
RansomEXX targets both Windows and Linux systems with specific focus on critical infrastructure including healthcare, government, and large enterprises. The existence of Linux variants (discovered in late 2020) demonstrates targeting of VMware ESXi, databases, and Unix-based core infrastructure. The dual-platform capability enables comprehensive network disruption.
Ransom notes titled [VICTIM_NAME]_MESSAGE.txt (e.g., Gigabyte_MESSAGE.txt) appear in encrypted directories containing victim-specific encryption details, Tor onion site URLs, cryptocurrency wallet addresses, and threats to publish stolen data. Notes reference data volumes and specific exfiltrated information.
No public decryption tool is available for RansomEXX. The malware uses strong RSA-4096+AES-256 encryption with private keys held exclusively by GOLD DUPONT. Decryption requires ransom payment (with no guarantee of functionality) or restoration from clean backups. Some victims reported key failures or incomplete decryption post-payment.
Specific indicators include .ransomexx or victim-specific file extensions, [VICTIM_NAME]_MESSAGE.txt ransom notes, Cobalt Strike beacon artifacts, Metasploit exploitation signatures, and credential dumping tool evidence (Mimikatz, etc.). Network reconnaissance activity and lateral movement patterns are distinctive.
File Extensions
Primary extension is .ransomexx (e.g., document.docx.ransomexx). Victim-specific variants may use alternative extensions. Linux variants may use different extension patterns.
Ransom Note Filenames
[VICTIM_NAME]_MESSAGE.txt format with victim organization name inserted (e.g., Gigabyte_MESSAGE.txt, ADATA_MESSAGE.txt, CDProjektRed_MESSAGE.txt). Consistent naming across incidents facilitates identification.
RansomEXX Hashes
RansomEXX samples vary across campaigns and platforms (Windows vs. Linux). Behavioral analysis of Cobalt Strike coordination and encryption routines is more reliable than hash-based detection. Threat intelligence feeds provide updated hash collections.
RansomEXX Tools
GOLD DUPONT arsenal: Cobalt Strike, Metasploit, Mimikatz (credential dumping), PsExec (lateral movement), WMI (remote command execution), PowerShell (automation), custom data exfiltration utilities, SSH for Linux lateral movement.
Most Common Red Flag (Commands)
PowerShell commands indicating credential enumeration, Mimikatz execution for credential dumping, Cobalt Strike beacon communications, SMB lateral movement attempts, WMIC execution for remote commands, evidence of SSH key usage for Linux access, bulk file transfers to staging directories.
Attack vector | % of RansomEXX incidents | Notes |
Exposed Remote Access Services | 40% | RDP, SSH, or VPN with weak credentials |
Phishing & Initial Access Brokers | 30% | Email-based credential theft or purchased access |
Unpatched Vulnerabilities | 20% | Exploitation of known CVEs in critical systems |
Supply Chain Compromise | 10% | Partner organization or software vendor breach |
Gigabyte (electronics manufacturer) reportedly paid ransom estimated at USD $10 million post-2020 breach. ADATA (memory manufacturer) suffered similar attacks with significant operational disruption. CD Projekt Red (game developer) experienced data theft (Cyberpunk source code suspected) with no confirmed encryption or ransom payment. Multiple critical infrastructure organizations paid significant ransoms (estimates $5–20M+). Recovery timelines ranged from 2–8 weeks depending on system complexity.
Immediately isolate infected systems from networks using complete air-gapping or network segmentation. Reset all compromised credentials including administrative and service accounts across Windows and Linux systems. Preserve forensic evidence of Cobalt Strike beacon communications and lateral movement. Restore all encrypted files from verified clean backup copies predating the infection. Scan systems for persistence mechanisms, backdoors, and secondary malware installations. Conduct comprehensive threat hunting for Metasploit artifacts and privilege escalation evidence.
Restore all encrypted files from verified clean backup repositories created before encryption occurred. Rebuild user credentials and implement multi-factor authentication on all systems and accounts. Deploy endpoint detection and response (EDR) solutions with focus on Cobalt Strike detection and lateral movement monitoring. Implement network segmentation to isolate critical infrastructure. Deploy data loss prevention (DLP) tools to monitor for bulk data transfers. Monitor both Windows and Linux systems for suspicious activity. Maintain immutable offline backup copies to prevent future encryption.
RansomEXX demands range from $500,000 to $30,000,000+ depending on victim organization size, industry criticality, and data sensitivity. Healthcare and critical infrastructure organizations face the highest demands. Negotiated settlements typically reduce initial demands by 40–70%. Government and healthcare victims have reported settlements exceeding $10 million.
10 reasons why you should choose the UnderDefense ransomware recovery consulting services:
Get Help NowRansomEXX, also known as Defray777, Target777, and Ransom X, is a sophisticated ransomware family active since 2018, attributed to the GOLD DUPONT threat group and Sprite Spider. The group distinguishes itself through dual Windows and Linux variants, enabling comprehensive network disruption across diverse infrastructure. RansomEXX operates as a mature RaaS platform with professional reconnaissance, lateral movement capabilities, and comprehensive toolkit. The group has demonstrated sustained capability to compromise critical infrastructure and essential services, with high-profile victims including government, healthcare, and major corporations.
GOLD DUPONT is attributed to Russian-speaking operators with suspected Russian Federation base of operations. Law enforcement and intelligence agencies have publicly attributed GOLD DUPONT to Russian cybercriminal activities. The group maintains sophisticated infrastructure across multiple jurisdictions, making geographic pinpointing difficult. US law enforcement (FBI) has issued advisories on GOLD DUPONT threat group.
RansomEXX attacks follow a sophisticated, multi-stage approach: Initial reconnaissance using OSINT and vulnerability scanning to understand target infrastructure. Initial access via phishing, credential theft, or vulnerability exploitation. Persistent access establishment using Cobalt Strike beacons. Lateral movement across Windows and Linux systems using legitimate administrative tools and exploitation. Credential dumping via Mimikatz to obtain domain admin access. Data exfiltration to attacker-controlled servers or cloud storage, often targeting critical databases and configurations. Optional encryption of both Windows systems and Linux infrastructure (ESXi, databases, etc.) using dual-platform payloads. Ransom note deployment. Victim notification and negotiation initiation.
RansomEXX campaigns typically span 2–8 weeks from initial access to encryption deployment. The group conducts thorough reconnaissance and lateral movement before payload deployment, ensuring comprehensive network access. Data exfiltration often spans 2–4 weeks as the group identifies and transfers high-value information. Encryption typically occurs over 24–72 hours once full network access is established.
No public decryption tools are available for RansomEXX. The malware uses strong RSA-4096+AES-256 encryption with private keys held exclusively by GOLD DUPONT. Decryption requires ransom payment (with no guarantee of functionality) or restoration from clean backups. Historical analysis shows that decryption keys have been provided post-payment in most cases, though incomplete decryption has been reported.
Payment has historically resulted in decryption key provision in most documented cases. However, no legal enforcement of payment agreements exists. Some victims have reported that exfiltrated data was still published or sold despite ransom payment. GOLD DUPONT demonstrates professionalism in honoring decryption key provision, though data publication threats remain independent from encryption recovery.
Implement multi-factor authentication on all remote access services (RDP, SSH, VPN) and administrative accounts. Deploy comprehensive endpoint detection and response (EDR) solutions on all Windows systems with focus on Cobalt Strike detection. Deploy Linux-based security monitoring on all critical servers and ESXi hosts. Conduct regular vulnerability assessments and patching programs. Monitor networks for Mimikatz and credential dumping activity. Segment networks to isolate critical infrastructure. Implement data loss prevention (DLP) tools to monitor for bulk data transfers. Monitor dark web for your organization’s appearance on RansomEXX leak sites.
– Audit and strengthen all RDP, SSH, and VPN credentials – Deploy multi-factor authentication on all remote access and administrative accounts – Monitor for Cobalt Strike beacon communications and lateral movement – Implement EDR on all Windows systems – Deploy Linux security monitoring on critical servers and ESXi – Conduct regular vulnerability assessments and timely patching – Restrict access to critical databases and configurations – Verify backup integrity and test offline restoration procedures
RansomEXX shows strong preference for critical infrastructure including healthcare, government, and utilities. The group targets any large organization with operational criticality and significant financial resources to pay ransom. Critical infrastructure victims face the highest demands due to public safety implications and regulatory pressures. No specific vertical is excluded, but essential services face elevated risk.
RansomEXX’s Linux variant, discovered in late 2020, was among the first major ransomware families to target Linux systems at scale. This capability enables comprehensive network disruption by simultaneously encrypting Windows desktops/servers and Linux infrastructure (ESXi hypervisors, databases, file servers). The dual-platform approach ensures maximum operational impact and increases victim pressure to pay. Linux deployment capability demonstrates sophisticated development practices and understanding of diverse infrastructure environments.