ransomware / big game hunting / esxi specialist

RansomEXX / Defray777

also known as: Defray Defray 2018 Target777 RansomX RansomEXX2 (Rust variant) operators: SPRITE SPIDER (CrowdStrike) GOLD DUPONT (SecureWorks) DefrayX / Hive0091 (IBM)

An early pioneer of VMware ESXi-targeted ransomware — SPRITE SPIDER (CrowdStrike's designation for the operators) began developing Linux variants specifically to encrypt virtualized environments as early as July 2020, years before ESXi targeting became widespread practice in the ransomware ecosystem. The group runs low-volume, highly targeted big game hunting (BGH) campaigns with victim names hardcoded in each build, deploying a sophisticated multi-tool intrusion chain (Shifu, Vatet, PyXie, Cobalt Strike) before dropping the final ransomware payload. Active since 2018, the group rewrote its payload in Rust in December 2022 (RansomEXX2) and remains active as of 2025.

attributed origin Unknown — suspected Eastern Europe / Russia based on language artifacts

operator designations SPRITE SPIDER (CrowdStrike); GOLD DUPONT (SecureWorks); DefrayX / Hive0091 (IBM)

active since 2018 (Defray777); 2020 (RansomEXX brand); 2022 (Rust variant)

primary motivation Financial — double extortion; big game hunting for maximum ransom

primary targets Government, manufacturing, healthcare, education, tech — global BGH

distinguishing feature ESXi Linux variant deployed Jul 2020 — years ahead of the field

operating model Double extortion — encryption + dedicated leak site; victim names hardcoded in payload

target regions Global — US, France, Brazil primary; Canada, Japan, Australia, Italy, Taiwan confirmed

threat level High

Overview

RansomEXX traces its lineage to 2017 when the operator group — subsequently tracked by CrowdStrike as SPRITE SPIDER, SecureWorks as GOLD DUPONT, and IBM as DefrayX/Hive0091 — first deployed a ransomware strain called Defray. The group evolved that payload into Defray777 in 2018, a substantially more sophisticated variant incorporating novel evasion techniques and encryption logic that established the foundation for all subsequent iterations. The name "RansomEXX" emerged in 2020 when the string "ransom.exx" was discovered in a binary deployed in high-profile attacks on government agencies, and it became the public brand name for the operation from that point.

What distinguishes SPRITE SPIDER from many ransomware operators is the sustained investment in a proprietary, multi-tool intrusion chain developed over years. The group's lineage traces through the Shifu banking Trojan (used for initial access from approximately 2015), the Vatet loader (added around 2017), and the PyXie remote access Trojan (added in 2018) — all before Defray777 ransomware was layered on top in 2019. CrowdStrike researchers were able to tie Shifu, Vatet, and PyXie back to a single threat actor cluster, which had been operating under the radar by staging payloads on internal servers and deploying later-stage tooling exclusively in memory.

The group's most operationally significant technical milestone came in July 2020, when SPRITE SPIDER began using a Linux version of Defray777 specifically designed to encrypt VMware ESXi virtual machine files. This made them early pioneers in a technique that would become widespread across ransomware groups over the following two years. Encrypting ESXi hosts — rather than individual Windows endpoints — allows a single execution to simultaneously lock all VMs running on that hypervisor, maximizing the operational disruption per attack and increasing ransom leverage.

In November 2020, SPRITE SPIDER launched its own dedicated data leak site for double-extortion, months after other groups had begun using them. In December 2022, the group released RansomEXX2 — a complete rewrite of the Linux payload in the Rust programming language — following a trend set by high-profile ransomware groups including BlackCat and Hive. Rust offers cross-platform support and significantly lower antivirus detection rates compared to C++ binaries.

hardcoded victim targeting

Each RansomEXX build has the target organization's name hardcoded in the binary. This is not merely cosmetic — it confirms the highly targeted, pre-researched nature of each attack and is a reliable forensic indicator for attribution when analyzing a sample recovered from an incident. The ransomware payload itself is a unique build per victim, each containing a unique RSA public key pair used to protect the per-file AES encryption keys.

Target Profile

RansomEXX does not follow a narrow vertical focus. SPRITE SPIDER selects targets based on the ability to pay large ransoms — large enterprises and government organizations with sufficient revenue and operational dependency on their data systems to make payment compelling. The attack chain takes a minimum of hours and sometimes days between initial access and ransomware deployment, indicating meaningful pre-attack reconnaissance.

Government agencies: The Texas Department of Transportation (TxDOT) was among the early high-profile confirmed victims. The Italian region of Lazio's COVID-19 vaccination portal was shut down in August 2021. Multiple government entities across the US, Brazil, and Europe have been claimed as victims on the group's leak site.
Manufacturing and hardware: Taiwanese computer hardware manufacturer GIGABYTE confirmed a RansomEXX attack in 2021, resulting in data theft. Luxury fashion brand Zegna confirmed an attack the same year. Hellmann Worldwide Logistics was impacted. Embraer, the Brazilian aircraft manufacturer, was targeted in a 2020 attack.
Healthcare: A Scottish mental health charity was attacked in March 2022, with 12 GB of data — including personal information and credit card details of volunteers — published after the organization declined to pay. This targeting of a charity attracted criticism but reflected the group's broadly opportunistic approach to victim selection within its BGH model.
Education: Education institutions have been targeted in multiple documented campaigns, particularly in the 2020 wave that also affected manufacturing and government sectors.
Financial services and supply chain: RansomEXX targeted Brontoo Technology Solutions, a key collaborator in the Indian banking ecosystem, disrupting banks and payment providers in a supply chain attack.
Automotive: Ferrari was listed on the group's leak site in October 2022, claiming 7 GB of stolen data. Ferrari initially denied a breach but subsequently disclosed a cyber incident to regulators in March 2023.

Tactics, Techniques & Procedures

SPRITE SPIDER's attack chain is unusually stable and identifiable — the same tool stack (Shifu/BokBot, Vatet, PyXie, Cobalt Strike) has been documented across campaigns spanning years. The group has demonstrated the ability to move from initial access to ransomware deployment in as little as five hours when the environment is favorable.

mitre id	technique	description
T1190	Exploit Public-Facing Application	Vulnerable Citrix Application Delivery Controllers (ADCs) have been exploited for initial access. Exposed RDP services and VPN vulnerabilities are also documented initial access vectors. The group exploits unpatched internet-facing services as a consistent entry pattern.
T1566	Phishing	Low-volume targeted phishing campaigns are used alongside exploit-based initial access. LUNAR SPIDER's BokBot (IcedID) trojan was used as an initial access vector in documented campaigns, indicating purchased access from initial access brokers as an alternative entry path.
T1055	Process Injection — Reflective Loading	RansomEXX is typically deployed as fileless malware — reflectively loaded and executed entirely in memory without touching disk. The Vatet loader specifically uses trojanized legitimate applications (Notepad++ is a documented example) to hide malicious payloads, loading them via XOR-keyed config.dat files.
T1021.001	Remote Services: RDP	RDP is used for lateral movement after initial foothold. The group frequently targets domain controllers as the primary privilege escalation objective before domain-wide ransomware deployment.
T1003	OS Credential Dumping	Mimikatz and LaZagne are deployed via the Vatet loader for credential harvesting. PyXie RAT provides additional credential access and data collection capability. Harvested credentials are used for lateral movement and for authenticating to vCenter in ESXi attack chains.
T1078	Valid Accounts — vCenter Authentication	For ESXi attacks, SPRITE SPIDER harvests credentials that authenticate to the vCenter web interface. After login, operators enable SSH, change SSH keys or root passwords, kill running VMs via esxcli vm process list, and write the Linux Defray777 binary to /tmp/ using a masquerading filename (e.g., svc-new) before executing.
T1485	Data Destruction — VM Termination	Before executing Defray777 on ESXi, SPRITE SPIDER terminates all running VMs using esxcli commands to release file locks on VM disk files, enabling encryption of the underlying VMDK/VMFS volumes. VMware Fault Domain Manager (FDM) may be uninstalled via a bash script (VMware-fdm-uninstall.sh) to prevent automatic VM restart.
T1486	Data Encrypted for Impact	Files are encrypted using AES-256 (ECB mode in documented implementations); the AES key per file is encrypted using a 4096-bit RSA public key embedded uniquely in each victim build and appended to the encrypted file. Encrypted files receive a victim-specific extension. RansomEXX2 (Rust) uses AES-256 with RSA key protection, same architecture.
T1048	Exfiltration Over Alternative Protocol	Data is exfiltrated to attacker-controlled servers before ransomware deployment as part of the double-extortion model. PyXie RAT has data exfiltration capability. An internal IP was documented as an exfiltration staging point in Trend Micro's analysis of a 2021 campaign.

Known Campaigns

Texas Department of Transportation (TxDOT) May 2020

One of the first high-profile confirmed RansomEXX attacks following its rebrand from Defray777. TxDOT was targeted in what became emblematic of the group's government sector focus. The attack confirmed the group's targeting of critical government infrastructure and established the RansomEXX name in public reporting.

Embraer — Brazilian Aircraft Manufacturer Nov 2020

RansomEXX targeted Embraer, one of the world's largest commercial aircraft manufacturers. Approximately 267 GB of data was exfiltrated before encryption. The group released a sample of the stolen data on its leak site. The attack demonstrated the group's global reach and willingness to target aviation and defense-adjacent manufacturing.

ESXi Hypervisor Jackpotting — SPRITE SPIDER Linux Variant Jul 2020 onward

CrowdStrike documented SPRITE SPIDER's deployment of a Linux-native Defray777 variant specifically targeting VMware ESXi hypervisors. The attack chain involves harvesting vCenter credentials, enabling SSH, terminating running VMs with esxcli, and deploying the ransomware binary to /tmp/ under a masquerading filename. By encrypting the ESXi host directly, a single execution locks all virtual machines simultaneously — maximizing impact per attack. This made SPRITE SPIDER an early pioneer in ESXi targeting that the broader ransomware ecosystem would widely adopt by 2022.

GIGABYTE — Taiwanese Hardware Manufacturer Aug 2021

RansomEXX attacked GIGABYTE, a major motherboard and computer hardware manufacturer, encrypting systems and exfiltrating approximately 112 GB of data. The leaked data allegedly included confidential documents from Intel, AMD, and American Megatrends. The attack generated significant industry attention given GIGABYTE's position in the hardware supply chain.

Regione Lazio — Italian COVID-19 Portal Aug 2021

RansomEXX attacked the government of Lazio, Italy's second-largest region, shutting down the online portal managing COVID-19 vaccination appointments and other regional IT services. The attack caused significant public disruption at a critical point in the pandemic vaccination rollout and drew international attention as an example of ransomware targeting pandemic-critical health infrastructure.

Ferrari — Claimed Breach and Subsequent Disclosure Oct 2022 / Mar 2023

RansomEXX posted a claim to its leak site asserting the theft of 7 GB of Ferrari data — including contracts, invoices, internal communications, and repair manuals — four days after Ferrari announced a Formula 1 partnership with cybersecurity firm Bitdefender. Ferrari initially denied any breach. In March 2023, Ferrari separately disclosed a cyber incident involving a ransom demand, notifying customers of a potential data exposure. The relationship between the October claim and the March disclosure was not formally confirmed by Ferrari.

RansomEXX2 — Rust Rewrite and Rebrand Dec 2022

IBM Security X-Force documented a new Linux variant of RansomEXX written in the Rust programming language, named RansomEXX2 based on strings found in the binary. The operators simultaneously renamed their leak site to RansomEXX2. The Rust rewrite maintains the same functional architecture as the C++ predecessor — AES-256 file encryption with RSA key protection, command-line directory targeting — but achieves significantly lower antivirus detection rates due to Rust's memory safety model and the relative scarcity of Rust malware signatures at the time.

Brontoo Technology — Indian Banking Supply Chain 2024

RansomEXX targeted Brontoo Technology Solutions, a key technology provider for C-EDGE Technologies — which itself provides core banking infrastructure to regional cooperative banks across India. The supply chain attack cascaded to affect banks and payment providers in the Indian banking ecosystem, demonstrating RansomEXX's continued active operation and willingness to target financial system infrastructure through third-party intermediaries.

Tools & Infrastructure

SPRITE SPIDER's tool stack reflects years of deliberate investment in a layered intrusion capability. Unlike many ransomware operations that use commodity access tooling, this group developed and maintained several proprietary components.

Shifu / BokBot (IcedID): The Shifu banking Trojan was used as an initial access mechanism from approximately 2015 — before the group pivoted to ransomware. LUNAR SPIDER's BokBot (IcedID) has also been documented as an initial access vector, indicating the group has at times purchased access from initial access brokers or third-party malware networks.
Vatet Loader: Custom malware loader developed by SPRITE SPIDER around 2017. Vatet is notable for using trojanized legitimate applications (including Notepad++) as host processes, loading payloads from XOR-encrypted config.dat files. This makes it difficult to detect via static analysis. Only Vatet is written to disk — all subsequent payloads are executed in memory.
PyXie RAT: Custom Python-based remote access Trojan first deployed by the group in 2018. PyXie provides persistent remote access, credential harvesting, screenshot capture, keylogging, and data exfiltration capabilities. It is delivered by Vatet as an in-memory payload.
Cobalt Strike: The standard post-exploitation framework is used alongside PyXie for lateral movement within victim networks, particularly for domain controller targeting and privilege escalation prior to ransomware deployment.
Defray777 / RansomEXX (C++ variant): Windows and Linux ransomware. Files encrypted with AES-256 (ECB mode per some analysis), per-file key encrypted with 4096-bit RSA embedded in each unique victim build. The Linux variant specifically targets ESXi VMDK/VMFS files. Victim name and unique RSA key are hardcoded in each build. The binary name of the Linux variant typically masquerades as a legitimate system tool when deployed to /tmp/.
RansomEXX2 (Rust variant): Complete rewrite of the Linux payload in Rust, released December 2022. Identical architecture to the C++ variant — AES-256 file encryption, RSA key protection, command-line directory targeting — but significantly lower AV detection rates. Requires target directory paths as command-line arguments. The group simultaneously renamed its leak site to RansomEXX2.
Mimikatz / LaZagne: Standard credential harvesting tools delivered via the Vatet loader, used to extract stored Windows credentials for lateral movement and vCenter authentication in ESXi attack chains.
VMware-fdm-uninstall.sh: A bash script observed in ESXi campaigns that uninstalls VMware Fault Domain Manager — a component that monitors VMs and reboots them on failure. Removing FDM prevents automatic VM recovery after the operator terminates VMs prior to encryption, ensuring the encrypted state persists.

Indicators of Compromise

RansomEXX generates unique builds per victim with hardcoded names and RSA keys, making hash-based detection unreliable across victims. Behavioral and structural indicators are more reliable for detection.

per-victim builds

Each RansomEXX binary is a unique build containing the target organization's name and a unique RSA key pair. File hashes from prior victims will not match samples from new incidents. Detection must rely on behavioral indicators, structural characteristics (mbedtls library integration, process kill list patterns, ESXi esxcli usage), and YARA rules targeting code patterns rather than specific hashes.

indicators of compromise — behavioral and structural

file pattern Encrypted files receive a victim-specific extension (e.g., .txdot for Texas DOT, .gigabyte for GIGABYTE) — the extension matches the hardcoded victim name in the binary

ransom note !readme_[VICTIMNAME].txt — ransom note dropped post-encryption; contains unique Tor negotiation URL and victim-specific contact instructions

esxi indicator Execution of esxcli vm process list followed by esxcli vm process kill — VM termination prior to encryption; VMware-fdm-uninstall.sh executed to remove FDM

esxi indicator Linux binary written to /tmp/ with masquerading filename (e.g., svc-new); SSH enabled on ESXi host immediately prior to binary execution

loader Vatet loader presence — XOR-encrypted config.dat files; trojanized Notepad++ or other legitimate application used as host process; in-memory-only payload execution (no Vatet dropper files except initial Vatet binary)

behavioral Bulk process termination matching a predefined kill list before encryption begins; processes containing system file paths excluded from termination; security product processes targeted in kill list

skip list RansomEXX skips encrypting files with extensions: .ani .cab .cpl .cur .dll .drv .exe .bat .cmd .sys .lnk and others — to avoid breaking system functionality

code fingerprint mbedtls library integration pattern — shared between RansomEXX and Defray777 samples; integration method confirmed by VMware Threat Research as a shared code indicator across variants

Mitigation & Defense

SPRITE SPIDER's attack chain provides multiple detection and response opportunities before ransomware deployment. The multi-stage nature of the intrusion (Vatet → PyXie/Cobalt Strike → credential dumping → domain controller compromise → ransomware) means defenders have time to detect and interrupt the chain if monitoring is in place at each stage.

ESXi and vCenter Hardening: ESXi is the primary high-impact target. Restrict vCenter web interface access to management VLANs only — it should never be internet-accessible. Implement MFA for vCenter authentication. Monitor vCenter login logs for unusual login times, IP addresses, or multiple authentication attempts. Alert on SSH being enabled on ESXi hosts outside of scheduled maintenance windows.
ESXi SSH and esxcli Monitoring: The ESXi attack chain is operationally identifiable: SSH enable event, esxcli vm process list, esxcli vm process kill, binary written to /tmp/, FDM uninstall. Deploy ESXi syslog forwarding to a SIEM and create alerts for these specific command sequences. The kill-VM-then-encrypt sequence is a high-fidelity indicator of imminent ESXi ransomware execution.
Patch Internet-Facing Services — Especially Citrix and VPN: Vulnerable Citrix ADCs are a documented SPRITE SPIDER initial access vector. Maintain patch velocity on all internet-facing network appliances, prioritizing those with known exploitation in the wild. Apply CISA KEV as a minimum patching baseline. Disable internet-facing RDP; place it behind VPN with MFA where operationally required.
Fileless Malware and In-Memory Detection: Vatet and the subsequent payload chain operate primarily in memory. Signature-based AV is insufficient. Deploy behavioral EDR capable of detecting reflective DLL loading, process injection, and in-memory PowerShell execution. Alert on child processes spawned from legitimate applications (Notepad++, WMI, cmd) that then spawn further processes or make network connections.
Credential Harvesting Detection: Mimikatz and LaZagne are part of SPRITE SPIDER's standard toolkit. Alert on LSASS memory access by non-system processes, Mimikatz command-line patterns, and LaZagne execution. Implement Credential Guard where supported. Ensure domain controller accounts have highly privileged access controls — domain controller compromise is the key pre-ransomware milestone in this attack chain.
Domain Controller Monitoring: SPRITE SPIDER specifically targets domain controllers as the primary pivot point before domain-wide ransomware deployment. Monitor domain controllers for unusual logins, Group Policy modifications, new service installations, and lateral movement from non-administrative systems. Alert on any new executable run from a domain controller that is not part of standard administrative tooling.
IcedID / BokBot Detection: IcedID (BokBot) is a documented alternative initial access vector. Deploy email security capable of detonating Office document attachments in a sandbox. Alert on IcedID behavioral patterns: dropped DLLs registered as scheduled tasks, rundll32 executing DLLs from user profile directories, outbound HTTPS to domains with recently registered certificates.
Immutable and Offline Backups: RansomEXX encrypts VMDKs — meaning VM backups stored on the same ESXi storage are at risk. Maintain offline, tested backups of critical VM images on storage that is not accessible from the ESXi management plane. Snapshot-based backup alone on the same storage is not sufficient against this attack pattern.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile — ransomexx / defray777 — last updated 2025-03-27