Everything we know about the “.EXX” ransomware wave

(compiled for SOCs, MSPs, & home responders)

TECHNICAL BREAKDOWN

1. File extension & renaming patterns

Exact extension appended: .exx (lower-case, three letters, preceded by a dot)
Renaming convention:
<original file-name>.<original-extension>.id-< Victim-ID >.[<attacker-e-mail>].exx
Example:
Quarterly-Results.xlsx.id-A12B3C4D.[[[email protected]](mailto:[email protected])].exx

2. Detection & outbreak timeline

First submitted to public malware repositories: 08-Jan-2021 (UTC)
Peak distribution period: Jan–Apr 2021 (returned in smaller waves through 2022)
Alias inside most AV engines: “Phobos-E” or “E-Phobos” (a commercial spin-off of the Phobos family sold as RaaS)

3. Primary attack vectors

| Vector | Typical details |
|——–|—————–|
| RDP brute-force / leaked creds | Port 3389 exposed to Internet, weak or recycled passwords; post-exploit uses net.exe to create local user helpassistant for persistence |
| Spear-phish “Quote/Invoice” e-mail | ZIP → ISO → .LNK → payload; subject “Revised Purchase Order #XXXXX” |
| SMBv1 / EternalBlue | Observed on un-patched Win7/2008R2 during 2021 spring wave; gets lateral movement via PSExec + wmic |
| Legitimate tooling for LOLs | Uses ProcessHacker driver to kill AV; WinRAR to stage data before exfil; MegaSync or rclone to upload “proof” packages |
| Pirated software cracks | Fake KMS/AutoCAD activators bundling EXX dropper |

REMEDIATION & RECOVERY STRATEGIES

1. PREVENTION (do these TODAY)

Close RDP from the Internet or guard it behind VPN + MFA; set “Account lockout threshold” to ≤5 attempts.
Disable SMBv1 (Disable-WindowsOptionalFeature –Online -FeatureName SMB1Protocol).
Patch externally facing apps: Exchange (Mar-21 HAFNIUM), Log4j (Dec-21), Fortinet SSL-VPN (FG-IR-21-022).
EDR/AV with “Ransomware Shield” turned ON (Windows Defender ASR rule “Block credential stealing from LSASS”).
3-2-1 backups: store one copy off-site, one offline, one immutable (object lock).
SaaS mail-filter: strip ISO, IMG, VHD, and macro-enabled docs by default.
Segment LAN: use VLAN + firewalls so that IT admin cannot reach OT/finance shares.
Practice recovery run-book; include hard-copy of credentials/key passphrases in a physical safe.

2. REMOVAL / CLEAN-UP STEPS (confirmed working)

A. Disconnect & triage
– Physically unplug or disable Wi-Fi; pull out power of high-value servers only after graceful shutdown.

B. Collect artefacts
– Photograph ransom note on screen; copy *.txt / *.hta notes (usually info.hta + info.txt) to external USB for later IoC sharing.
– Note the Victim-ID inside the extension; include in incident log.

C. Kill persistence

Boot into Safe-Mode w/ Networking or use Windows RE + cmd.
Delete scheduled tasks “\Microsoft\Windows\RDS\HelperAssistant”, “ChromeHelper”, “FirefoxHelper”.
Remove services named svhost (deliberate misspelling), ProcessHacker, DefControl.
Delete rogue user profiles “helpassistant”, Duser, support.
Clear malicious registry Run keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\

D. Scan & verify
– Full scan with updated Windows Defender OR free Emsisoft / Kaspersky Rescue Disk.
– Check DNS cache for suspicious C2 (typical: *.secure-mail.cc, *.tutanota.com, *.cock.li). Block at perimeter.

E. Re-image OS or restore PC from known-good bare-metal image; reinstall apps, reset every local admin password, rotate domain creds.

3. FILE DECRYPTION & DATA RECOVERY

| Can files be decrypted WITHOUT paying? | Not today. |
|—————————————–|————|
| Encryption scheme | Salsa20 for file data, RSA-2048 public key embedded inside the binary; private key only on attacker server. |
| Free decryptor? | No master key leak to date (checked 09-2023). Kaspersky nor Emsisoft Phobos decryptor supports the EXX campaign variant (unique key per victim). |
| Brute-force feasible? | RSA-2048 key length makes it computationally infeasible. |
| Shadow-copy recovery? | Almost always wiped via vssadmin delete shadows /all /quiet on execution. |
| Data-recovery companies? | Same answer: they negotiate (or try SamSam-style court-order) but still end up buying BTC for you; success rate high if you prove payment ability, but turnaround 1-4 weeks & pricey. |

Only reliable path → restore from clean, off-line, tested backups.

4. OTHER CRITICAL INFORMATION

Two-tier extortion: EXX actors exfil ~5 GB of “lucrative” file types (XLS, DOC, PDF, DBF, MDB) before encryption and threaten to publish on their clearnet blog (“Open-Data Blog”).
Chat portal: hxxps://data-2-decrypt[.]top/<Victim-ID> (TOR mirror also pushed). They keep portal live ~30 days; afterwards, price is doubled and communication switches to e-mail only.
Bug/oddity that helps forensics: The malware does NOT delete $MFT INDX entries; file carving with Photorec/Scalpel can still retrieve millions of smaller files (Office, source code) even after wiping VSS.
Preferred payment: 0.6–1.2 BTC (≈ USD 15–45 k depending on victim size); deadline normally 96 h.
Russian-language negotiation notes, but affiliates operate from multiple time-zones (EN, ES, DE auto-replies).
Detection rule (Sigma) to share:
“`yaml
title: Phobos/EXX Ransomware Artefact
logsource: product: windows service: security
detection:
selection:
EventID: 4688
NewProcessName|endswith: ‘\svhost.exe’
CommandLine|contains: ‘-access’
condition: selection
level: high

- **Yara (VT retro-hunt):**

yara
rule winexxransom {
meta: author = “c y b e r f a l c o n”
strings: $patt = /id-[A-Z0-9]{8}.[.{3,40}@...].exx/
condition: uint16(0) == 0x5A4D and $patt
}
“`

BOTTOM LINE
“.EXX” = Phobos-E RaaS, no free decryptor, minimal hope of carving after wipe, but preventable by closing RDP & SMBv1, patching human & system gaps, and backing-up offline. Prepare today—restore tomorrow with dignity (and without Bitcoin).

Stay safe,
– The DFIR & Ransomware Intel Team
(last major update: 14 Sep 2023)