Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

DXXD Ransomware Encrypts Files on Unmapped Network Shares

A new ransomware family has emerged that targets servers and encrypts files on network shares even if they haven’t been mapped to the infected computer.

A new ransomware family has emerged that targets servers and encrypts files on network shares even if they haven’t been mapped to the infected computer.

Dubbed DXXD, the new piece of ransomware appends the .dxxd extension to the encrypted files, after which it drops a ransom note onto the infected computers. The malware won’t search for and encrypt only files on the local machine, but it would also target network shares, both mapped and unmapped, a feature that was previously seen in Locky.

While the ransomware’s infection vector isn’t clear at the moment, the attackers are believed to be abusing Remote Desktop Services and are brute-forcing passwords to spread the DXXD ransomware, BleepingComputer’s Lawrence Abrams notes.

The ransom note dropped by the new threat instructs users to contact the operators via two email addresses to receive payment instructions: rep_stosd[at] and rep_stosd[at] However, as it usually happens in the event of ransomware infections, users are advised not to give in and pay the ransom.

Unlike other ransomware families out there, DXXD was configured to change a Windows Registry setting to display a so called “legal notice” to users when they log in. Because of this, the ransomware author ensures that any user attempting to log into an infected computer sees the ransom note.

The “legal notice” informs users that the computer they are logging into “is attacked by hackers.” It also claims that users should contact experts at said emails and various other email addresses, such as shellexec[at] or null_ptr[at] “for more informations [sic!] and recommendations.”

To display the notice, the ransomware changes the HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonLegalNoticeCaption registry key. It also changes HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonLegalNoticeText to display the following: “When you start Windows, Windows Defender works to help protect your PC by scanning for malicious or unwanted software.”

According to Abrams, the ransomware’s alleged author decided to taunt victims and researchers by creating an account on BleepingComputer and claiming that a newer version of the ransomware has been developed and that it is more difficult to decrypt. The developer also claimed that a new zero-day vulnerability was used to compromise servers and install the ransomware.

Researchers say that paying the ransom isn’t a solution in the event of an attack, because that doesn’t guarantee that the data will be recovered. To keep their data safe, users are advised to constantly back up their files, keep their software up to date, use a reputable anti-malware solution, avoid opening attachments or clicking on links coming from unknown sources, and disable Remote Desktop Protocol (RDP) and files running from AppData/LocalAppData folders.

Related: Brazilian Hackers Using RDP to Spread Xpan Ransomware

Related: Cry Ransomware Uses Google Maps to Find Victim Locations

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.