
A severe ransomware attack by RansomEXX disrupted broadcasting and leaked 2.4 GB of highly sensitive data containing casting applicant profiles, CVs, and audition files. This analysis covers the technical execution, the shift to Rust-based malware, and defense strategies to protect enterprise networks.

Exploitation of edge devices or target spear-phishing
Executing Mimikatz to dump LSA secrets / admin credentials
Mapping Active Directory & propagating via SMB/Cobalt Strike
Staging and siphoning sensitive database files to external C2
Domain-wide execution of Rust binary & deletion of Volume Shadow Copies
If your team may be exposed to a similar threat, FemtoSec can help validate blast radius, prioritize remediation, and connect the issue to a practical security program.
The CRPxO ransomware group has launched an affiliate recruitment drive offering 70 percent payouts to access brokers. This multi-platform threat targets Windows and macOS environments, deploying a modular payload that combines clipboard hijacking, wallet seed harvesting, and double-extortion ransomware encryption.

June 19, 2026
Legal firm Vogeler Rechtsanwälte has been targeted by the Cloak ransomware group, with attackers claiming possession of 1.1 TB of organizational data. We analyze the implications of this incident and how firms can protect against high-stakes exfiltration threats.

June 19, 2026
KRYBIT ransomware actors claim to have exfiltrated 316 GB of data from AASA CP Holding. We break down the implications for GCC enterprises and outline immediate defensive priorities to mitigate similar risks.
Onion URL
http://rnsm777cdsjrsdlbs4v5qoeppu3px6sb2igmh53jzrx7ipcrbjz5b2ad.onion/2022/02/15/pop-tv
Slovenian commercial television broadcaster POP TV has suffered a major ransomware disruption and subsequent data breach claimed by the notorious RansomEXX threat group. Operating under the parent company Central European Media Enterprises, the network experienced severe infrastructure lockouts that forced the cancellation of its primary evening news program, VOYO streaming services, and video-on-demand uploading pipelines. Following the broadcaster's refusal to comply with extortion demands, the threat actors leaked approximately 2.4 GB of stolen files onto their public Tor-based leak portal, exposing the highly sensitive personal records of over 21,000 casting applicants.
The published archives contain five distinct multi-part compressed ZIP volumes totaling nearly 2.4 GB. This stolen repository holds the physical and digital identities of thousands of individuals who applied for casting roles with the broadcaster. The exposed files include detailed curriculum vitae, full-resolution photos, and audio-visual audition recordings. To facilitate public access and increase leverage, the threat group published the archives along with a standardized master archive password, specifically Vm14a2QxVXlVbGhVYWxwU1lteEtUMVJXWkc5WFp3, allowing third parties and secondary threat actors to download and unpack the sensitive files without restriction.
Organizations looking to validate their historical and active log files against RansomEXX activity should monitor for the following specific indicators:
Tor Onion Leak Portal: rnsm777cdsjrsdlbs4v5qoeppu3px6sb2igmh53jzrx7ipcrbjz5b2ad.onion
Decryption Password String: Vm14a2QxVXlVbGhVYWxwU1lteEtUMVJXWkc5WFp3
Ransom Note Filenames: !_WHATS_HAPPENED_!.txt and !_WHY_FILES_ARE_ENCRYPTED_!.txt
Ransomfeed Reference Hash: 01d4cfc945cabdf973a69b20efaa4c3201ce20c4cd7b06762b4f7f2b6cc6a9ec
Understanding the operational mechanics of the RansomEXX group, which is tracked by security researchers as Sprite Spider or DefrayX, reveals a highly sophisticated attack methodology. Historically, RansomEXX relied on highly targeted, human-operated network intrusions. Unlike opportunistic ransomware families that depend on automated worm-like propagation, Sprite Spider spends significant time performing internal reconnaissance, mapping Active Directory architectures, and locating localized backup storage before deploying the final cryptographic payload.
The attack chain typically follows a structured and deliberate progression:
Initial Access: The group often achieves initial entry by exploiting unpatched edge vulnerabilities in public-facing appliances or through targeted spear-phishing campaigns. This initial foothold allows the operators to establish persistence using customized backdoors and remote access agents.
Credential Harvesting and Lateral Movement: Once inside the perimeter, threat actors run credential-dumping utilities like Mimikatz to extract administrative secrets from memory. They utilize native Windows administration tools and frameworks like Cobalt Strike to navigate the corporate network, targeting high-privilege domain controller accounts.
Data Exfiltration: Before launching the encryption sequence, the actors identify file servers, document shares, and databases containing proprietary and sensitive personal data. They collect and stage this information, siphoning it out to external command and control servers over secure channels to establish the double-extortion hook.
Domain-Wide Encryption: The threat actors initiate a simultaneous deployment of the ransomware binary across all identified endpoints, virtual machines, and servers. The malware terminates active security services, stops database applications, and invokes administrative commands to delete Volume Shadow Copies, preventing localized restoration.
A notable aspect of the RansomEXX threat profile is its technological evolution, frequently referred to in underground forums as RansomEXX v2 or RansomEXX2. While the original variants were written primarily in C++, the threat group completed a full architectural migration to the Rust programming language. This shift represents a broader industry trend where sophisticated cybercriminals utilize modern compiled languages to bypass legacy signature-based antivirus solutions and endpoint detection systems.
Using Rust grants the threat actors several strategic advantages. First, compiled Rust binaries are highly optimized and secure, which translates to incredibly fast file-locking speeds. This rapid execution minimizes the window of opportunity for security teams to detect the encryption process and isolate infected systems. Second, Rust makes cross-compilation highly straightforward, enabling the group to compile native payloads for Windows, Linux, and specialized hypervisor environments like VMware ESXi from a single codebase. The encryption implementation relies on a robust hybrid mechanism, pairing symmetric AES-256-ECB to lock local files with asymmetric RSA encryption keys to secure the symmetric session keys, ensuring decryption is impossible without the private master key.
Analyzing the specific behaviors observed during RansomEXX operations helps security practitioners identify ongoing campaigns and implement proactive hunting queries. The following list outlines key MITRE ATT&CK techniques associated with this ransomware strain:
T1190 - Exploit Public-Facing Application: Exploiting unpatched corporate gateways and virtual private network endpoints to gain initial ingress.
T1003.001 - OS Credential Dumping (LSA Secrets): Harvesting administrative and domain credentials from memory to escalate privileges.
T1021.002 - SMB/Windows Admin Shares: Utilizing administrative shares to distribute and execute the ransomware payload across the local domain.
T1562.001 - Impair Defenses: Actively stopping local security services, deleting registry keys associated with endpoint defense, and disabling real-time monitoring tools.
T1490 - Inhibit System Recovery: Deleting localized system shadow copies and targeting online network-attached storage backups to block recovery.
Defending against highly targeted ransomware operations requires a multi-layered security strategy that prioritizes early detection and robust access control. Since threat groups like RansomEXX actively exploit exposed assets and network misconfigurations, maintaining an up-to-date inventory of external-facing systems is crucial. Security teams must ensure that all remote access portals, virtual private networks, and web applications are subjected to continuous verification.
To identify active post-compromise behaviors, security operations centers should deploy detection rules targeting administrative commands. Specifically, any execution of shadow copy deletion commands, such as vssadmin.exe delete shadows /all /quiet or wmic.exe shadowcopy delete, should trigger immediate critical-severity alerts. Additionally, monitoring for anomalous internal remote desktop and server message block connections can help detect lateral movement before the threat actors deploy the encryption payload.
Implementing a comprehensive penetration testing program allows organizations to discover hidden access paths and evaluate how their internal detection systems react to simulated adversary tactics. By proactively identifying and remediation exploitable pathways, enterprises can effectively prevent ransomware groups from establishing an initial foothold.
Free exposure check
Dark Web Scanner
check dark web mentions, compromised account indicators, malware log signals, public breach exposure, and recent underground market activity for your domain.
For organizations with established digital operations, ongoing dark web monitoring is essential to identify leaked credentials, compromised developer tokens, and initial access broker listings before they can be leveraged in a full-scale corporate intrusion. Ensuring that offline, immutable, or completely segmented backups are maintained guarantees that organizations can recover from severe operational disruptions without being forced into ransom negotiations.