What to do if you're hit by ransomware?

Do NOT attempt any self-remediation, as it can trigger further encryption and destroy recovery points. Instead, follow these steps:

1
Do NOT fix it yourself
2
Disconnect affected systems
3
Call us +1 332 331 8700

Contact us now for urgent ransomware response assistance, 24/7

Get Help Now
Frame

Experts. Finalists. Winners.

Accomplishments and recognitions, demonstrating our commitment to excellence and innovation.

Momentum Leader in MDR

Best Support in MDR & IR

Managed Detection and Response (MDR)

Top Cybersecurity Company 
2025

Best Managed Detection and Response Service

#4 of 184 teams Splunk Boss of the SOC

Best Of Cybersecurity Awards for Q1 2025

AWS Partner

Splunk Manage Premier Partner

Image (11) (1)

Why you shouldn’t attempt 
to fix it alone

Like a crime scene, a ransomware attack must be preserved — tampering with encrypted files, attempting self-recovery, or engaging with attackers can destroy critical evidence and reduce your chances of recovery.

Taking the right steps in the first moments after a RansomEXX attack can make a huge difference and help you make a full recovery. Request 24/7 RansomEXX ransomware recovery services to decrypt your data and maximize your chances of restoring operations.

Contact us now for urgent ransomware recovery assistance

Under attack?

Get Help Now

RansomEXX ransomware statistics & facts

RansomEXX Decryptor
RansomEXX IOCs
RansomEXX Attack Vectors
Case Outcomes
How to Remove RansomEXX Ransomware?
How to Recover from RansomEXX Ransomware?
Ransom Amounts
RansomEXX Decryptor

No public decryption tool is available for RansomEXX. The malware uses strong RSA-4096+AES-256 encryption with private keys held exclusively by GOLD DUPONT. Decryption requires ransom payment (with no guarantee of functionality) or restoration from clean backups. Some victims reported key failures or incomplete decryption post-payment.

RansomEXX IOCs

Specific indicators include .ransomexx or victim-specific file extensions, [VICTIM_NAME]_MESSAGE.txt ransom notes, Cobalt Strike beacon artifacts, Metasploit exploitation signatures, and credential dumping tool evidence (Mimikatz, etc.). Network reconnaissance activity and lateral movement patterns are distinctive.

File Extensions
Primary extension is .ransomexx (e.g., document.docx.ransomexx). Victim-specific variants may use alternative extensions. Linux variants may use different extension patterns.

Ransom Note Filenames
[VICTIM_NAME]_MESSAGE.txt format with victim organization name inserted (e.g., Gigabyte_MESSAGE.txt, ADATA_MESSAGE.txt, CDProjektRed_MESSAGE.txt). Consistent naming across incidents facilitates identification.

RansomEXX Hashes
RansomEXX samples vary across campaigns and platforms (Windows vs. Linux). Behavioral analysis of Cobalt Strike coordination and encryption routines is more reliable than hash-based detection. Threat intelligence feeds provide updated hash collections.

RansomEXX Tools
GOLD DUPONT arsenal: Cobalt Strike, Metasploit, Mimikatz (credential dumping), PsExec (lateral movement), WMI (remote command execution), PowerShell (automation), custom data exfiltration utilities, SSH for Linux lateral movement.

 Most Common Red Flag (Commands)
PowerShell commands indicating credential enumeration, Mimikatz execution for credential dumping, Cobalt Strike beacon communications, SMB lateral movement attempts, WMIC execution for remote commands, evidence of SSH key usage for Linux access, bulk file transfers to staging directories.

RansomEXX Attack Vectors

Attack vector

% of RansomEXX incidents

Notes

Exposed Remote Access Services

40%

RDP, SSH, or VPN with weak credentials

Phishing & Initial Access Brokers

30%

Email-based credential theft or purchased access

Unpatched Vulnerabilities

20%

Exploitation of known CVEs in critical systems

Supply Chain Compromise

10%

Partner organization or software vendor breach

Powered By WP Table Builder
Case Outcomes

Gigabyte (electronics manufacturer) reportedly paid ransom estimated at USD $10 million post-2020 breach. ADATA (memory manufacturer) suffered similar attacks with significant operational disruption. CD Projekt Red (game developer) experienced data theft (Cyberpunk source code suspected) with no confirmed encryption or ransom payment. Multiple critical infrastructure organizations paid significant ransoms (estimates $5–20M+). Recovery timelines ranged from 2–8 weeks depending on system complexity.

How to Remove RansomEXX Ransomware?

Immediately isolate infected systems from networks using complete air-gapping or network segmentation. Reset all compromised credentials including administrative and service accounts across Windows and Linux systems. Preserve forensic evidence of Cobalt Strike beacon communications and lateral movement. Restore all encrypted files from verified clean backup copies predating the infection. Scan systems for persistence mechanisms, backdoors, and secondary malware installations. Conduct comprehensive threat hunting for Metasploit artifacts and privilege escalation evidence.

How to Recover from RansomEXX Ransomware?

Restore all encrypted files from verified clean backup repositories created before encryption occurred. Rebuild user credentials and implement multi-factor authentication on all systems and accounts. Deploy endpoint detection and response (EDR) solutions with focus on Cobalt Strike detection and lateral movement monitoring. Implement network segmentation to isolate critical infrastructure. Deploy data loss prevention (DLP) tools to monitor for bulk data transfers. Monitor both Windows and Linux systems for suspicious activity. Maintain immutable offline backup copies to prevent future encryption.

Ransom Amounts

RansomEXX demands range from $500,000 to $30,000,000+ depending on victim organization size, industry criticality, and data sensitivity. Healthcare and critical infrastructure organizations face the highest demands. Negotiated settlements typically reduce initial demands by 40–70%. Government and healthcare victims have reported settlements exceeding $10 million.

Our customers say it best

Contact us now for urgent ransomware recovery assistance

Under attack?

Get Help Now

Frequently asked questions

What is RansomEXX Ransomware?

RansomEXX, also known as Defray777, Target777, and Ransom X, is a sophisticated ransomware family active since 2018, attributed to the GOLD DUPONT threat group and Sprite Spider. The group distinguishes itself through dual Windows and Linux variants, enabling comprehensive network disruption across diverse infrastructure. RansomEXX operates as a mature RaaS platform with professional reconnaissance, lateral movement capabilities, and comprehensive toolkit. The group has demonstrated sustained capability to compromise critical infrastructure and essential services, with high-profile victims including government, healthcare, and major corporations.

Where is the GOLD DUPONT/RansomEXX Gang Located?

GOLD DUPONT is attributed to Russian-speaking operators with suspected Russian Federation base of operations. Law enforcement and intelligence agencies have publicly attributed GOLD DUPONT to Russian cybercriminal activities. The group maintains sophisticated infrastructure across multiple jurisdictions, making geographic pinpointing difficult. US law enforcement (FBI) has issued advisories on GOLD DUPONT threat group.

How Does RansomEXX Ransomware Work?

RansomEXX attacks follow a sophisticated, multi-stage approach: Initial reconnaissance using OSINT and vulnerability scanning to understand target infrastructure. Initial access via phishing, credential theft, or vulnerability exploitation. Persistent access establishment using Cobalt Strike beacons. Lateral movement across Windows and Linux systems using legitimate administrative tools and exploitation. Credential dumping via Mimikatz to obtain domain admin access. Data exfiltration to attacker-controlled servers or cloud storage, often targeting critical databases and configurations. Optional encryption of both Windows systems and Linux infrastructure (ESXi, databases, etc.) using dual-platform payloads. Ransom note deployment. Victim notification and negotiation initiation.

How Long Does a RansomEXX Attack Take?

RansomEXX campaigns typically span 2–8 weeks from initial access to encryption deployment. The group conducts thorough reconnaissance and lateral movement before payload deployment, ensuring comprehensive network access. Data exfiltration often spans 2–4 weeks as the group identifies and transfers high-value information. Encryption typically occurs over 24–72 hours once full network access is established.

Can RansomEXX Ransomware Be Decrypted?

No public decryption tools are available for RansomEXX. The malware uses strong RSA-4096+AES-256 encryption with private keys held exclusively by GOLD DUPONT. Decryption requires ransom payment (with no guarantee of functionality) or restoration from clean backups. Historical analysis shows that decryption keys have been provided post-payment in most cases, though incomplete decryption has been reported.

What Happens If You Pay the RansomEXX Ransom?

Payment has historically resulted in decryption key provision in most documented cases. However, no legal enforcement of payment agreements exists. Some victims have reported that exfiltrated data was still published or sold despite ransom payment. GOLD DUPONT demonstrates professionalism in honoring decryption key provision, though data publication threats remain independent from encryption recovery.

How to Prevent RansomEXX Infection?

Implement multi-factor authentication on all remote access services (RDP, SSH, VPN) and administrative accounts. Deploy comprehensive endpoint detection and response (EDR) solutions on all Windows systems with focus on Cobalt Strike detection. Deploy Linux-based security monitoring on all critical servers and ESXi hosts. Conduct regular vulnerability assessments and patching programs. Monitor networks for Mimikatz and credential dumping activity. Segment networks to isolate critical infrastructure. Implement data loss prevention (DLP) tools to monitor for bulk data transfers. Monitor dark web for your organization’s appearance on RansomEXX leak sites.

RansomEXX Threat Checklist

– Audit and strengthen all RDP, SSH, and VPN credentials – Deploy multi-factor authentication on all remote access and administrative accounts – Monitor for Cobalt Strike beacon communications and lateral movement – Implement EDR on all Windows systems – Deploy Linux security monitoring on critical servers and ESXi – Conduct regular vulnerability assessments and timely patching – Restrict access to critical databases and configurations – Verify backup integrity and test offline restoration procedures

Does RansomEXX Target Specific Industries?

RansomEXX shows strong preference for critical infrastructure including healthcare, government, and utilities. The group targets any large organization with operational criticality and significant financial resources to pay ransom. Critical infrastructure victims face the highest demands due to public safety implications and regulatory pressures. No specific vertical is excluded, but essential services face elevated risk.

What Makes the Linux Variant Significant?

RansomEXX’s Linux variant, discovered in late 2020, was among the first major ransomware families to target Linux systems at scale. This capability enables comprehensive network disruption by simultaneously encrypting Windows desktops/servers and Linux infrastructure (ESXi hypervisors, databases, file servers). The dual-platform approach ensures maximum operational impact and increases victim pressure to pay. Linux deployment capability demonstrates sophisticated development practices and understanding of diverse infrastructure environments.