Detection Content: Ransom X Behavior

Another ransomware family appeared this spring and is actively used in targeted attacks against enterprises and government agencies. In mid-May, cybercriminals attacked the network of the Texas Department of Transportation, but unauthorized access was discovered, and as a result, only part of the systems was encrypted. In this attack was used new ransomware – Ransom X, which stands out among its “relatives”. Ransom X is human-operated ransomware which opens a console after the execution that displays information to adversaries while it is running. It terminates 289 processes related to remote access tools, MSP and security software, databases, and mail servers. lt also performs a series of commands to clear Windows event logs, delete NTFS journals, disable System Restore, disable the Windows Recovery Environment, delete Windows backup catalogs, and wipe free space from local drives. In addition, this ransomware strain doesn’t encrypt several very specific folders, and researchers believe that in those folders cybercriminals store their tools used to infect other systems in the organization. It is currently unknown whether criminals steal data before encrypting files, or even use encryption to hide their malicious activity.

Ransom X ransomware can be detected using Ariel Millahuel‘s community threat hunting rule available on Threat Detection Marketplace:


The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, ELK Stack, RSA NetWitness, Sumo Logic, Graylog, Humio, LogPoint

EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint



Tactics: Execution, Persistence, Privilege Escalation

Techniques: Scheduled Task (T1053)