New 'Rex' Ransomware Strain Emerges with Double Extortion Tactics

New 'Rex' Ransomware Emerges, Using Double Extortion and .rex48 Extension

HIGH
May 15, 2026
4m read
RansomwareMalware

Related Entities

Organizations

CYFIRMA

Products & Tech

Windows

Other

Rex Ransomware

MITRE ATT&CK Techniques

T1486

Data Encrypted for Impact

T1490

Inhibit System Recovery

T1048

Exfiltration Over Alternative Protocol

T1190

Exploit Public-Facing Application

Full Report

Executive Summary

Security researchers at CYFIRMA have identified a new ransomware-as-a-service (RaaS) operation dubbed Rex. The new strain targets corporate Windows environments, executing a classic double-extortion attack. Upon compromising a network, Rex ransomware exfiltrates sensitive data before encrypting files, appending a .rex48 extension to them. The attackers then leave an HTML ransom note, RANSOM_NOTE.html, which threatens to leak the stolen data if the victim does not make contact within 72 hours to negotiate payment. The ransomware also attempts to delete Volume Shadow Copies to hinder recovery efforts.

Threat Overview

Malware: Rex Ransomware. Targets: Enterprise and corporate networks running Windows operating systems. Attack Model: Double Extortion. This involves two forms of coercion:

  1. Data Encryption: Files are encrypted (T1486 - Data Encrypted for Impact), making them inaccessible and disrupting business operations.
  2. Data Theft and Extortion: Confidential data is exfiltrated before encryption. The attackers threaten to publish this data on a leak site or sell it if the ransom is not paid (T1048 - Exfiltration Over Alternative Protocol).

Technical Analysis

The Rex ransomware follows a typical modern ransomware attack flow:

  1. Execution and Encryption: Once executed on a system, the malware begins to encrypt files based on a predefined list of extensions, appending .rex48 to each encrypted file. The numeric suffix (48) may be a campaign identifier and could vary in future attacks.

  2. Ransom Note: After encryption, an HTML ransom note named RANSOM_NOTE.html is created on the system. The note contains:

    • A notification that the network has been breached.
    • A warning against modifying files or using third-party recovery tools.
    • The claim that confidential data has been stolen.
    • Instructions to contact the attackers within 72 hours via email or a Tor chat service.
    • A threat to increase the ransom amount if the deadline is missed.
    • An offer to decrypt 2-3 small, non-important files for free as proof of capability.

  3. Inhibit Recovery: The malware actively attempts to inhibit system recovery by deleting Volume Shadow Copies (T1490 - Inhibit System Recovery). This is typically done using the vssadmin.exe command-line tool.

While the initial access vector is not specified, ransomware groups typically gain entry through phishing, exploitation of unpatched public-facing services, or stolen credentials purchased from initial access brokers.

Impact Assessment

A successful Rex ransomware attack can be devastating for an organization, leading to:

  • Operational Downtime: Complete halt of business operations as critical files and systems become inaccessible.
  • Financial Loss: Costs associated with the ransom payment (if made), incident response, system restoration, and lost revenue.
  • Data Breach: The public leak of sensitive data can result in severe reputational damage, loss of customer trust, regulatory fines (e.g., under GDPR or CCPA), and competitive disadvantage.
  • Legal and Regulatory Consequences: Organizations may face lawsuits from customers whose data was exposed and penalties from data protection authorities.

IOCs — Directly from Articles

Type
File Name
Value
RANSOM_NOTE.html
Description
The name of the ransom note dropped by Rex ransomware.
Type
File Name
Value
*.rex48
Description
The file extension appended to encrypted files.

Cyber Observables — Hunting Hints

Security teams can hunt for signs of a ransomware attack in progress with the following observables:

  • File System Activity: Monitor for a high volume of file read/write/rename operations, especially the creation of files with the .rex48 extension.
  • Process Monitoring: Look for the execution of vssadmin.exe delete shadows or similar commands used to delete backups.
  • Ransom Note Creation: Set up alerts for the creation of files named RANSOM_NOTE.html on critical servers or multiple endpoints.
  • Network Traffic: Monitor for large, anomalous outbound data transfers, which could indicate data exfiltration prior to encryption.

Detection & Response

  • Endpoint Protection (EDR/XDR): Modern EDR solutions with anti-ransomware modules can detect and terminate the encryption process based on its behavior. This is a form of D3FEND's Process Analysis (D3-PA).
  • File Integrity Monitoring: Use FIM on critical file servers to alert on mass file modification or the appearance of ransom notes.
  • Canary Files/Honeypots: Place

Timeline of Events

1
May 15, 2026
This article was published

MITRE ATT&CK Mitigations

Network Segmentation

M1030enterprise

Segment networks to contain the spread of ransomware. Isolate critical assets to prevent them from being encrypted in a widespread attack.

Antivirus/Antimalware

M1049enterprise

Use EDR/XDR solutions with behavioral detection capabilities to identify and block ransomware activity before it can cause significant damage.

Multi-factor Authentication

M1032enterprise

Enforce MFA on all remote access points and privileged accounts to prevent attackers from gaining initial access through stolen credentials.

Sources & References

Weekly Intelligence Report – 15 May 2026
CYFIRMA (cyfirma.com) May 15, 2026
Rex ransomware - Decryption, removal, and lost files recovery
PCRisk.com (pcrisk.com) May 14, 2026
Rex ransomware removal [.Rex48 file virus].
YouTube (youtube.com) May 14, 2026
Rex ransomware removal [.Rex48 file virus]
NewsBreak (newsbreak.com) May 14, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

RansomwareRex RansomwareMalwareDouble ExtortionWindowsCYFIRMA

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.