New Ransomware Group “BravoX” Goes Live, Launches Affiliate-Driven Extortion Campaign

Aegiron 8 mins0

BravoX Ransomware-as-a-Service (RaaS)

Initial Public Operations Observed: January 26

Executive Summary

BravoX is a newly operational ransomware group that formally launched its extortion infrastructure on January 26. The group operates under a ransomware-as-a-service model, providing ransomware tooling, negotiation support, and leak-site infrastructure to recruited affiliates. Affiliates are responsible for gaining initial access and executing attacks, while BravoX operators manage encryption payloads, payment handling, and public pressure through data leaks.

Early activity indicates moderate technical capability with a heavy reliance on stolen credentials, exposed remote access services, and standard post-compromise tooling rather than novel exploits. This suggests BravoX is focused on scale and speed rather than stealth or innovation.

Detailed Attack Lifecycle

1. Initial Compromise

BravoX affiliates favor low-resistance entry points that allow quick access with minimal malware usage.

Most Common Initial Vectors

  • VPN portals without MFA (especially legacy SSL VPNs)
  • Exposed RDP services with weak credentials
  • Compromised credentials reused across environments
  • Phishing campaigns delivering:
    • HTML smuggling attachments
    • ISO / IMG / VHD disk images
    • Password-protected ZIP archives

Typical Initial Execution

  • User opens attachment → launches loader
  • Loader pulls secondary tools from short-lived hosting
  • PowerShell or cmd is used to bootstrap access

No confirmed exploitation of zero-day vulnerabilities has been observed so far.

2. Establishing Control & Persistence

Once inside, affiliates focus on maintaining access before moving laterally.

Observed / expected behaviors:

  • Creation of new local admin accounts
  • Abuse of existing service accounts
  • Scheduled tasks disguised as system maintenance
  • Registry Run keys for persistence
  • Deployment of legitimate remote tools (RMM abuse)

Common abused tools:

  • AnyDesk
  • ScreenConnect
  • Atera
  • TeamViewer (portable versions)

3. Internal Reconnaissance

Affiliates rely heavily on built-in Windows utilities to avoid detection.

Common commands:

  • whoami /all
  • net user /domain
  • net group "Domain Admins" /domain
  • nltest /dclist
  • ipconfig /all
  • arp -a
  • route print

Active Directory is mapped early to identify:

  • Backup servers
  • File servers
  • Hypervisors
  • Domain controllers

4. Credential Access

Credential harvesting is a key step before ransomware deployment.

Observed techniques:

  • LSASS dumping via:
    • Task Manager abuse
    • Procdump
    • Comsvcs.dll MiniDump
  • Extraction of:
    • NTLM hashes
    • Kerberos tickets
    • Cached credentials

Harvested credentials are reused rapidly for lateral movement.

5. Lateral Movement

Movement is fast and noisy, prioritizing reach over stealth.

Methods include:

  • RDP with stolen credentials
  • SMB authentication hopping
  • Service execution via PsExec-like techniques
  • WMI-based remote command execution

Focus is placed on:

  • File servers
  • Backup infrastructure
  • Virtualization hosts (ESXi, Hyper-V management systems)

6. Data Collection & Exfiltration

Before encryption, affiliates conduct systematic data theft.

Data targeted:

  • Financial documents
  • HR data
  • Legal records
  • Customer databases
  • Email archives

Staging behavior:

  • Data compressed into multi-part archives
  • Archives staged in:
    • C:\ProgramData
    • C:\Users\Public
    • Temporary network shares

Exfiltration methods:

  • HTTPS uploads to attacker-controlled servers
  • Temporary VPS nodes
  • Cloud storage accounts created solely for staging

7. Ransomware Deployment

Payload Characteristics

  • Windows x64 executable
  • Manually deployed by affiliate
  • Often executed via scheduled task or PsExec
  • Encryption occurs within minutes across multiple hosts

Actions performed:

  • Shadow copy deletion
  • Backup service termination
  • Database service shutdown
  • File encryption with custom extension
  • Ransom note placement

Ransom notes direct victims to a Tor-based negotiation portal hosted by BravoX.

Indicators of Compromise

File System IOCs

Suspicious File Paths

C:\ProgramData\bravox\
C:\Users\Public\brx\
C:\Windows\Temp\svchost32.exe
C:\ProgramData\update_check.exe

Ransom Note Names

README_BRAVOX.txt
BRAVOX_NOTE.txt
HOW_TO_RECOVER_FILES.txt

Encrypted File Extensions

.bravox
.brx
.bvx

Process & Command-Line IOCs

Shadow Copy & Backup Destruction

vssadmin.exe delete shadows /all /quiet
wmic shadowcopy delete
bcdedit /set {default} recoveryenabled No

Defense Evasion

powershell Set-MpPreference -DisableRealtimeMonitoring $true
sc stop WinDefend
reg add HKLM\Software\Policies\Microsoft\Windows Defender

Lateral Movement

psexec \\<hostname> cmd.exe
wmic /node:<host> process call create

Account & Authentication IOCs

  • New domain admin accounts created suddenly
  • Password resets for service accounts
  • MFA bypass via legacy protocols
  • VPN logins followed by immediate server RDP

Suspicious Windows Event IDs:

  • 4624 (Logon)
  • 4672 (Special privileges assigned)
  • 4720 (User created)
  • 4732 (Added to admin group)
  • 7045 (New service installed)

Network IOCs (Behavioral)

Because infrastructure is rotating, behavioral indicators matter more than IPs.

  • Large outbound HTTPS uploads late at night
  • Short-lived VPS connections
  • Unusual ports (8443, 9443, 10443)
  • TLS traffic from file servers that normally don’t initiate outbound connections

Detection & Threat Hunting

High-Fidelity Hunts

Hunt: Ransomware Staging

  • Look for archive creation followed by deletion
  • Correlate with outbound network spikes

Hunt: Backup Tampering

  • Monitor for service stop events on backup servers
  • Detect shadow copy deletion attempts

Hunt: Credential Dumping

  • Alert on LSASS access by non-security tools
  • Detect MiniDump creation events

Detection Logic

Suspicious Archive Creation

Process creates .zip/.7z files
Location: ProgramData or Public directories
Size > 500MB
Followed by outbound HTTPS within 15 minutes

Defense Disable Attempt

powershell.exe modifying Defender preferences
Parent process not signed Microsoft management tools

Risk Outlook

  • Short-term risk: High likelihood of opportunistic attacks
  • Target profile: Small to mid-size enterprises, poorly secured VPNs
  • Maturity trend: Infrastructure and tooling likely to improve quickly
  • Primary danger: Data theft + encryption + public extortion

Final Takeaways

  • Enforce MFA on all external access
  • Audit VPN and RDP exposure
  • Monitor service account behavior
  • Lock down backup systems
  • Enable command-line logging
  • Prepare ransomware-specific IR runbooks

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.