They have been active since 2018.

Defray777, also known as Ransom X and RansomExx, has been hard to catch recently.

Although, they are somewhat incognito, Defray777 has a data leak site where, as of right now, they are publishing two companies.

This ransomware group runs in memory only. In recent attacks, Defray777 injected into memory and deployed Cobalt Strike.

While executing, Defray777 uses multithreading in order to prioritize the process (SetProcessPriorityBoost, SetThreadAffinityMask and SetThreadPriorityBoost).

Defray777 establishes threads to kill processes they deem “undesirable.”

The following processes are excluded during execution:

• Powershell.exe
• Wefault.exe
• Vmnat.exe
• Rundll32.exe
• Explorer.exe

During encryption, Defray777 tries to encrypt as many files as it can without affecting the system’s main functionality.

Once the files are encrypted, Defray777 includes anti-forensics measures to avoid any evidence of the incident. It is important to note Defray777 runs commands after encryption. Therefore, once Endpoint Detection and Response (EDR) tools are alerted, the victim’s files may have already been encrypted.

It is important to stay cognizant of emerging threats, your organization’s risk profile, and ensuring your vulnerability management program is up to date.

SpearTip is constantly watching for new malware and manipulative programs. Our 24/7 Security Operations Center (SOC) is fully staffed with cybersecurity professionals to monitor and protect your environment. Not only are our cybersecurity teammates continuously preventing cyberattacks, but also able to deploy our proprietary tool, ShadowSpear® in an environment before or after an attack.