Ransomware has become one of the most profitable types of malware in the hands of cybercriminals, with reported cybercrime losses tripling in the last five years, according to the FBI. A constant flow of new and reused code in this realm continues to flood both consumers and organizations who fight to prevent infections, respond to attacks and often resort to paying the criminals.

In a recent analysis from IBM’s X-Force Incident Response and Intelligence Services (IRIS), our team discovered activity related to a new strain of ransomware known as “PXJ” ransomware. This malware is also known as “XVFXGW” ransomware. The name PXJ is derived from the file extension that is appended to encrypted files, whereas the alternative name, XVFXGW, is based off both the mutex the malware creates, “XVFXGW DOUBLE SET,” and the email addresses listed in the ransom note, which are “[email protected]” and “[email protected].”

This code has emerged in the wild in early 2020, and while it performs functions common to most ransomware, it does not appear to share underlying code with known ransomware families. Of the two samples we have analyzed so far, one was packed using UPX, an open-source executable packer, while the other did not leverage any packing.

This post sheds some light on what we found in our labs.

PXJ’s Initial Actions

Much like other ransomware, PXJ begins by disabling the user’s ability to recover any files from deleted stores and shadow copies.

First, the Recycle Bin is emptied using the “SHEmptyRecycleBinW” function. Next, a series of commands are executed to prevent the recovery of data after it has been encrypted. Specifically, the steps taken at this stage include the deletion of volume shadow copies and the disabling of the Windows Error Recovery service.

The following are the specific commands executed by PXJ ransomware:

vssadmin.exe delete shadows /all /quiet

bcdedit.exe /set {default} recoveryenabled no

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

bcdedit.exe /set {current} recoveryenabled no

bcdedit.exe /set {current} bootstatuspolicy ignoreallfailures

After these tasks are complete, the file encryption process begins. According to the ransom note, that process includes encrypting photos and images, databases, documents, videos and other files on the device.

Double Encryption

To prevent potential recovery by breaking the encryption, PXJ uses both AES and RSA algorithms to lock data down, a practice that is quite common. Many ransomware codes begin by encrypting files with the AES algorithm, a symmetric cipher, because it can encrypt files faster, helping finish the task before the malicious process can be interrupted. The AES key is then encrypted with the stronger asymmetric key, in this case, the RSA crypto-system.

Ransom Note Dropped

With encryption complete, the ransom note is dropped as a file named “LOOK.txt” and requests that the user contact the operator via email to pay the ransom in exchange for the decryption key. The attacker demands payment in bitcoin and threatens victims that if they do not pay immediately, the ransom amount will double every day after the first three days. Within one week, the decryption key will supposedly be destroyed, which will leave the victim unable to ever recover the encrypted files and data.

Figure 1: A sample ransom note dropped by PXJ ransomware (Source: IBM X-Force)

New PXJ Samples See Network Communication Check Added

On February 29, 2020, X-Force IRIS identified two new PXJ ransomware samples that were uploaded to VirusTotal by a user from the community. Having examined those new files, we noted that the mutex, attacker email addresses and dropped files all appear to remain the same. However, a significant addition to the malware involved the presence of network communication.

The URLs contain a parameter called “token” with a Base-64 encoded value, decoded examples of which include:

K 2020/2/29 20:41:7 uzjdbtjjska AAABANIx93RdufO4

K 2020/3/2 0:37:25 lttylhecm AAABANIx93RdufO4

Our hypothesis is that this may be some sort of traffic check given the lack of payload and the presence of multiple GET requests that include timestamps; however, this has not yet been confirmed. No additional payload appears to be included in the GET request sent to these URLs and the remote server simply returns “0” in response.

A dropped file named “Res.AAABANIx93RdufO4” is present in both the old and new samples. As we work to determine the purpose of this file, please note that the ransom note requests that victims do not delete this file, which leads us to hypothesize that this file may be used in the decryption process.

Network indicators, as well as the additional hashes, have been added to our report on X-Force Exchange.

Ransomware and Extortion Attacks Continue to Rise

The emergence of new ransomware strains is almost a daily occurrence nowadays, facilitated by the ability of new threat actors to buy ransomware for a low cost or even obtain code for free on some forums. Additionally, organized cybercrime gangs use ransomware to extort organizations and force them to negotiate ransom amounts to the tune of millions of dollars in each case.

Want to keep up to date on the latest threat intelligence? Join us on X-Force Exchange and read our research blogs on SecurityIntelligence.

Indicators of Compromise (IoCs)

File hashes (SHA256) analyzed for this post:

9a4e4211f7e690ee4a520c491ef7766dcf1cc9859afa991e15538e92b435f3a1

58673f5c9344f510703ffda908c7e7830f36905015529ab629479c6bf44236e9

Network indicators:

c5697c0166f9b18ee157bcdde9fb2f531892d62076b4fa3664adf0065598ebf7

64fdcb90411440bc44970d1ecce60686b85df54ed552abf312947207ea654dce

IoCs and Yara rules for this malware can be found on X-Force Exchange.

Learn more about IBM Security X-Force’s threat intelligence and incident response services.

More from Malware

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today