TIARAS - ransomexx

Threat Actor Profile

Medium Cybercriminal

Description

RansomExx is a ransomware family that targeted multiple companies starting in mid-2020. It shares commonalities with Defray777.

Confidence Score

100%

First Seen

Unknown

Last Updated

Unknown

Active Status

Active

Created

April 29, 2026

Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel

STIX Data

{'added_date': None,
 'client': '2003264@sit.singaporetech.edu.sg',
 'description': 'RansomExx is a ransomware family that targeted multiple '
                'companies starting in mid-2020. It shares commonalities with '
                'Defray777.\n',
 'firstseen': '2020-05-14T00:00:00+00:00',
 'group': 'ransomexx',
 'has_negotiations': False,
 'has_ransomnote': True,
 'lastseen': '2026-04-17T00:00:00+00:00',
 'locations': [{'available': True,
                'fqdn': 'rnsm777cdsjrsdlbs4v5qoeppu3px6sb2igmh53jzrx7ipcrbjz5b2ad.onion',
                'slug': 'http://rnsm777cdsjrsdlbs4v5qoeppu3px6sb2igmh53jzrx7ipcrbjz5b2ad.onion/',
                'title': 'RansomEXX v2',
                'type': 'DLS'}],
 'negotiation_count': 0,
 'ransomnotes_count': 5,
 'tiaras_metadata': {'has_negotiations': False,
                     'has_ransomnote': True,
                     'locations': [{'available': True,
                                    'fqdn': 'rnsm777cdsjrsdlbs4v5qoeppu3px6sb2igmh53jzrx7ipcrbjz5b2ad.onion',
                                    'slug': 'http://rnsm777cdsjrsdlbs4v5qoeppu3px6sb2igmh53jzrx7ipcrbjz5b2ad.onion/',
                                    'title': 'RansomEXX v2',
                                    'type': 'DLS'}],
                     'negotiation_count': 0,
                     'ransomnotes_count': 5,
                     'ransomware_live_group': 'ransomexx',
                     'tools': {'CredentialTheft': ['LaZagne',
                                                   'Mimikatz',
                                                   'ProcDump'],
                               'DefenseEvasion': [],
                               'DiscoveryEnum': [],
                               'Exfiltration': [],
                               'LOLBAS': ['BCDEdit',
                                          'Windows Event Utility (wevtutil)'],
                               'Networking': [],
                               'Offsec': ['Cobalt Strike'],
                               'RMM-Tools': []},
                     'url': 'https://www.ransomware.live/group/ransomexx',
                     'victims': 85,
                     'vulnerabilities': []},
 'tiaras_source': 'ransomware.live',
 'tools': {'CredentialTheft': ['LaZagne', 'Mimikatz', 'ProcDump'],
           'DefenseEvasion': [],
           'DiscoveryEnum': [],
           'Exfiltration': [],
           'LOLBAS': ['BCDEdit', 'Windows Event Utility (wevtutil)'],
           'Networking': [],
           'Offsec': ['Cobalt Strike'],
           'RMM-Tools': []},
 'ttps': [],
 'url': 'https://www.ransomware.live/group/ransomexx',
 'victims': 85,
 'vulnerabilities': []}

Threat Actor Profile

Description

Confidence Score

Tags

First Seen

Last Updated

Active Status

Created

Indicators of Compromise

IOC KQL for Sentinel

STIX Data

Quick Actions

Please wait…