(Palo Alto) Defray777 is an elusive family of ransomware also known as Ransom X and RansomExx. Although it has recently been covered in the news as a new family, it has been in use since at least 2018 and is responsible for a number of high-profile ransomware incidents -- as detailed in the articles we linked to. Defray777 runs entirely in memory, which is why there have been so few publicly discussed samples to date. In several recent incidents, Defray777 was loaded into memory and executed by {{Cobalt Strike}}, which was delivered by the {{Vatet}} loader.
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
| IP:Port | Timestamp |
|---|
| Domain | Timestamp |
|---|
| URL | Timestamp |
|---|
2020-11-20 by Abraham Camba from Trend Micro
2020-11-06 by Ryan Tracey from Palo Alto Networks Unit 42
2020-09-23 by Lawrence Abrams from Bleeping Computer
2020-02-25 by Joel DeCapua from RSA Conference
2020-01-17 by Tamada Kiyotaka from Secureworks
2020 by SecureWorks from Secureworks
2017-09-26 by Cylance Threat Research Team from Threat Vector
2017-08-24 by Proofpoint Staff from Proofpoint
2017-08-24 by Proofpoint Staff from Proofpoint
Tool: Defray777
Names: Defray777, Defray, Defray 2018, Target777, Ransom X, RansomExx, Glushkov
Description: (Palo Alto) Defray777 is an elusive family of ransomware also known as Ransom X and RansomExx. Although it has recently been covered in the news as a new family, it has been in use since at least 2018 and is responsible for a number of high-profile ransomware incidents -- as detailed in the articles we linked to. Defray777 runs entirely in memory, which is why there have been so few publicly discussed samples to date. In several recent incidents, Defray777 was loaded into memory and executed by {{Cobalt Strike}}, which was delivered by the {{Vatet}} loader.
Category: Malware
Type: Ransomware, Big Game Hunting
Information: https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3/
Information: https://blogs.vmware.com/networkvirtualization/2021/03/deconstructing-defray777.html/
Information: https://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware
Information: https://blogs.blackberry.com/en/2017/09/cylance-vs-defray-ransomware
Information: https://securityintelligence.com/posts/ransomexx-upgrades-rust/
Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.defray
Alienvault-otx: https://otx.alienvault.com/browse/pulses?q=tag:defray777
Last-card-change: 2022-12-28
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |