Cyber Threat Actor: RansomEXX
| Actor Type | Location | Known Incidents |
Crime Syndicate
|
—
|
26 incidents |
|---|
Profile
Sprite Spider, operating under aliases Ransom X, RansomEXX, and RansomExx, is a ransomware group conducting financially motivated cyberattacks against diverse global entities. The group employs double extortion tactics, encrypting victim systems while exfiltrating sensitive data to pressure payment, threatening public leaks via dedicated dark web platforms if ransoms are unmet. Their operations demonstrate opportunistic targeting across sectors including aviation (Kenya Airways), telecommunications (Telecommunications Services of Trinidad and Tobago), healthcare (Brazil’s Unimed Belém, Spain’s Consorci Sanitari Integral), public administration (Italy’s Unione Reno Galliera, Brazil’s National Fund for Educational Development), logistics (Germany’s Hellmann Worldwide), and automotive services (Inchcape). Geographically, confirmed incidents span Europe, Africa, North America, Latin America, and Asia, with no explicit regional focus beyond avoiding systems using Russian or CIS languages—a noted operational constraint.
Technical patterns include leveraging known vulnerabilities such as Citrix/Netscaler’s CVE-2019-19781 (exploited against France’s MNH mutuelle) and DLL sideloading via Rainmeter, a legitimate Windows customization tool, to deploy payloads. The group maintains ransomware variants for both Windows and Linux environments, ensuring broad infrastructure impact. While initial access vectors are rarely specified, phishing and compromised credentials are implied in incidents like the Montreal Metro attack. Data exfiltration volumes range widely, from 5.8 GB (Unimed Belém) to 62 TB (Brazil’s FNDE), with leaks structured in standardized 500MB file batches. High-profile campaigns include disrupting Italy’s Lazio region COVID-19 vaccination portal in 2021, compromising Brazil’s Superior Court of Justice in 2020, and leaking 112 GB from hardware manufacturer Gigabyte. No verifiable state affiliations or criminal consortium ties are documented in public reporting, with activities consistently aligned with profit-driven ransomware collectives.
