axxes

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: Axxes Ransomware appends .axxes to every encrypted file (e.g., report.docx becomes report.docx.axxes).
  • Renaming Convention: On Windows systems it also drops a random-named auxiliary copy of axxes.exe into %TEMP% or %APPDATA%\[guid], then deletes itself from the original location to complicate forensic analysis. Files are not moved into archives—each original file is overwritten in-place and tagged with the extension.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First observed in third-party telemetry on 2 November 2023; a noticeable surge in victim reports occurred between 15–25 November 2023, establishing it as an active campaign rather than quiet testing. No documented historical predecessors bearing the same extension exist, indicating a new family.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. Phishing Emails with ISO Attachments – ISO images hide the axxes.exe payload, bypassing some mail filters.
  2. DLL-Sideload via Legitimate Tools – Bundled with pirated software cracks (e.g., “Keygen.exe”) that drop a malicious DLL (libcurl.dll) alongside the crack and side-load the ransomware.
  3. Exploitation of CVE-2023-34362 (MOVEit Transfer SQLi) – In-the-wild observations show attackers using stolen MOVEit credentials to pivot into internal networks and deploy axxes.
  4. RDP Brute-Force + Manual Execution – Port-scans for RDP on TCP/3389 followed by dictionary attacks; once inside the perimeter, attackers run axxes.exe via WMI or BITS jobs.

Remediation & Recovery Strategies:

1. Prevention

  • Proactive Measures:
  • Disable macro execution for Office documents delivered from the Internet.
  • Block ISO, IMG, and VHD attachments at email gateways unless digitally signed by trusted senders.
  • Isolate infrastructure using network segmentation; prevent RDP exposure by requiring VPN + MFA (Microsoft RD Gateway with NPS).
  • Patch MS SQL (KB5021125), MOVEit Transfer (v2023.0.7 or later), and SMBv1 (disable via Group Policy).
  • Maintain 3-2-1 backups with an offline (air-gapped) copy; configure volume shadow copy on endpoints and test restores regularly.

2. Removal

  1. Disconnect infected machines from LAN/Wi-Fi to stop lateral spread.
  2. Boot into Safe Mode with Networking or WinRE to prevent axxes service persistence.
  3. Delete the following artifacts (e.g., via WinPE boot media or LiveCD):
  • %TEMP%\axxes.exe
  • %APPDATA%\{random-guid}\axxes.exe
  • Registry run-key entries: HKCU\Software\Microsoft\Windows\CurrentVersion\Run \{random-chars}
  • Scheduled task “AxxSrvUpdate” (name differs per campaign) under C:\Windows\System32\Tasks.
  1. Run an on-demand scan with updated ESET Online Scanner, Bitdefender Rescue, or Kaspersky Rescue Disk to ensure remnants are gone.

3. File Decryption & Recovery

  • Recovery Feasibility: As of June 2024, no freely available decryptor exists. Axxes uses a RSA-2048 + AES-256 hybrid encryption generated per host, with the RSA private key held exclusively on the attackers’ backend.
  • Attempted Workarounds:
  • Shadow Copies & Recycle: The malware deletes volume shadow copies (vssadmin delete shadows /all /quiet) but may miss secondary hidden shadow ID’s; try shadowexplorer or vssadmin list shadows in recovery mode.
  • Local recovery tools (Recuva, PhotoRec) typically recover only tiny file fragments due to overwrite/trim operations.
  • Official decryptor: Monitor the NoMoreRansom project entry for “Axxes Decryptor v1.0”—posts update notifications on their twitter (@nomoreransom).
  • Essential Tools/Patches:
  • Qualys VMDR agent (detects missing patches against MOVEit CVE-2023-34362).
  • Malwarebytes Anti-Ransomware Beta (runtime behavioral blocker).
  • CISA’s CSET Ransomware Readiness Assessment (checklist for SMBv1 disablement).

4. Other Critical Information

  • Unique Characteristics:
  • Chat-gateway extortion model – victims are directed to a TOR-based web-chat (http://axxs5zxwxyz[.]onion/login.php) to negotiate a price that automatically decreases from 2 BTC to 0.25 BTC over 15 days if victims stall.
  • Geo-targeting – skips execution if the Windows language identifier is Russian, Belarusian, Ukrainian, or Azerbaijani (possible Eastern European origin).
  • USB worming module – observed copying itself to attached removable drives as SystemUpdate.exe with an accompanying autorun.inf file (disabled on modern Windows 10/11 but still effective in legacy environments).
  • Broader Impact:
  • As of May 2024, at least 137 organizations across manufacturing, higher-education, and healthcare sectors appear in leak-site samples.
  • Average downtime recorded by Covewave incidents: 19.3 days—highlighting the value of cold backups over decryption negotiations.

Remain vigilant, keep offline backups, and share IoCs (file hashes, C2 domains) with your community to slow future spread.