Axxes Ransomware Group Appears to be the Rebranded Version of Midas Group
Axxes ransomware note
|Category: Adversary Intelligence||Industry: Multiple||Country/ Region: Global||Source*: F6|
- CloudSEK’s flagship digital risk monitoring platform XVigil discovered a financially motivated threat actor group, named Axxes ransomware, that is considered to be a rebrand of a formerly known ransomware group.
- The Axxes ransomware group’s PR site lists The H Dubai as their latest victim.
- Their target regions include the USA, Middle East, France, and China.
- Axxes is a ransomware that encrypts files and appends the .axxes extension to them.
- Axxes creates a file labeled "RESTORE_FILES_INFO.hta," which includes a ransom note. It also creates a file labeled "RESTORE_FILES_INFO.txt."
- The ransomware executes various tasks such as:
- Looking up the geo-location of the device
- Modifying the Windows Firewall
- Modifying the extension of the files in the victim’s device.
- Killing the processes with taskkill.exe
|>> What happened? Important files on your network was ENCRYPTED and now they have "Axxes" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your network was DOWNLOADED. More than 70 GB. If you DON'T WANT your sensitive data to be PUBLISHED you have to act quickly. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Private financial information including: clients data, bills, budgets, annual reports, bank statements. >> CAUTION DO NOT MODIFY ENCRYPTED FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. >> What should I do next? 1) Download and install Tor Browser from: https://torproject.org/ 2) ymnbqd5gmtxc2wepkesq2ktr5qf4uga6wwrsbtktq7n5uvhqmbyaq4qd.onion/link.php?id=hTjNdkb5OCr74qyYii8r5987laFscF|
- Once encrypted, the ransomware group leaves a link with the victim ID. The link directs the victim to a chat page where an account is created using the authorization ID.
- The victim organizations listed on the group’s PR site include details about the organization, such as an address, contact information, number of views, website, and next update date.
- Based on the logo of the ransomware group, it appears to be a rebranded version of the Midas ransomware group.
- Midas ransomware used the same logo and listed the same victims, except for the recent additions. This Midas ransomware group was first observed in October 2021.
- The Midas group itself was believed to be a rebranded version of Haron ransomware. And Haron was a rebranded version of the Avvadon ransomware group.
- Some researchers have also claimed that Midas is a variant of Thanos.
- While the Haron ransomware group is still operating as Haron Ransomware2, the leak site of the Midas ransomware group is not active anymore.