Ransomware has become one of the most profitable types of malware in the hands of cybercriminals, with reported cybercrime losses tripling in the last five years, according to the FBI. A constant flow of new and reused code in this realm continues to flood both consumers and organizations who fight to prevent infections, respond to attacks and often resort to paying the criminals.
In a recent analysis from IBM’s X-Force Incident Response and Intelligence Services (IRIS), our team discovered activity related to a new strain of ransomware known as “PXJ” ransomware. This malware is also known as “XVFXGW” ransomware. The name PXJ is derived from the file extension that is appended to encrypted files, whereas the alternative name, XVFXGW, is based off both the mutex the malware creates, “XVFXGW DOUBLE SET,” and the email addresses listed in the ransom note, which are “[email protected]” and “[email protected].”
This code has emerged in the wild in early 2020, and while it performs functions common to most ransomware, it does not appear to share underlying code with known ransomware families. Of the two samples we have analyzed so far, one was packed using UPX, an open-source executable packer, while the other did not leverage any packing.
This post sheds some light on what we found in our labs.
PXJ’s Initial Actions
Much like other ransomware, PXJ begins by disabling the user’s ability to recover any files from deleted stores and shadow copies.
First, the Recycle Bin is emptied using the “SHEmptyRecycleBinW” function. Next, a series of commands are executed to prevent the recovery of data after it has been encrypted. Specifically, the steps taken at this stage include the deletion of volume shadow copies and the disabling of the Windows Error Recovery service.
The following are the specific commands executed by PXJ ransomware:
vssadmin.exe delete shadows /all /quiet
bcdedit.exe /set {default} recoveryenabled no
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
bcdedit.exe /set {current} recoveryenabled no
bcdedit.exe /set {current} bootstatuspolicy ignoreallfailures
After these tasks are complete, the file encryption process begins. According to the ransom note, that process includes encrypting photos and images, databases, documents, videos and other files on the device.
Double Encryption
To prevent potential recovery by breaking the encryption, PXJ uses both AES and RSA algorithms to lock data down, a practice that is quite common. Many ransomware codes begin by encrypting files with the AES algorithm, a symmetric cipher, because it can encrypt files faster, helping finish the task before the malicious process can be interrupted. The AES key is then encrypted with the stronger asymmetric key, in this case, the RSA crypto-system.
Ransom Note Dropped
With encryption complete, the ransom note is dropped as a file named “LOOK.txt” and requests that the user contact the operator via email to pay the ransom in exchange for the decryption key. The attacker demands payment in bitcoin and threatens victims that if they do not pay immediately, the ransom amount will double every day after the first three days. Within one week, the decryption key will supposedly be destroyed, which will leave the victim unable to ever recover the encrypted files and data.
Figure 1: A sample ransom note dropped by PXJ ransomware (Source: IBM X-Force)
New PXJ Samples See Network Communication Check Added
On February 29, 2020, X-Force IRIS identified two new PXJ ransomware samples that were uploaded to VirusTotal by a user from the community. Having examined those new files, we noted that the mutex, attacker email addresses and dropped files all appear to remain the same. However, a significant addition to the malware involved the presence of network communication.
The URLs contain a parameter called “token” with a Base-64 encoded value, decoded examples of which include:
K 2020/2/29 20:41:7 uzjdbtjjska AAABANIx93RdufO4
K 2020/3/2 0:37:25 lttylhecm AAABANIx93RdufO4
Our hypothesis is that this may be some sort of traffic check given the lack of payload and the presence of multiple GET requests that include timestamps; however, this has not yet been confirmed. No additional payload appears to be included in the GET request sent to these URLs and the remote server simply returns “0” in response.
A dropped file named “Res.AAABANIx93RdufO4” is present in both the old and new samples. As we work to determine the purpose of this file, please note that the ransom note requests that victims do not delete this file, which leads us to hypothesize that this file may be used in the decryption process.
Network indicators, as well as the additional hashes, have been added to our report on X-Force Exchange.
Ransomware and Extortion Attacks Continue to Rise
The emergence of new ransomware strains is almost a daily occurrence nowadays, facilitated by the ability of new threat actors to buy ransomware for a low cost or even obtain code for free on some forums. Additionally, organized cybercrime gangs use ransomware to extort organizations and force them to negotiate ransom amounts to the tune of millions of dollars in each case.
Want to keep up to date on the latest threat intelligence? Join us on X-Force Exchange and read our research blogs on SecurityIntelligence.
Indicators of Compromise (IoCs)
File hashes (SHA256) analyzed for this post:
9a4e4211f7e690ee4a520c491ef7766dcf1cc9859afa991e15538e92b435f3a1
58673f5c9344f510703ffda908c7e7830f36905015529ab629479c6bf44236e9
Network indicators:
c5697c0166f9b18ee157bcdde9fb2f531892d62076b4fa3664adf0065598ebf7
64fdcb90411440bc44970d1ecce60686b85df54ed552abf312947207ea654dce
IoCs and Yara rules for this malware can be found on X-Force Exchange.
Learn more about IBM Security X-Force’s threat intelligence and incident response services.
Cyber Threat Researcher - IBM X-Force IRIS
Principal Consultant, X-Force Cyber Crisis Management, IBM