Ransomware has become one of the most profitable types of malware in the hands of cybercriminals, with reported cybercrime losses tripling in the last five years, according to the FBI. A constant flow of new and reused code in this realm continues to flood both consumers and organizations who fight to prevent infections, respond to attacks and often resort to paying the criminals.

In a recent analysis from IBM’s X-Force Incident Response and Intelligence Services (IRIS), our team discovered activity related to a new strain of ransomware known as “PXJ” ransomware. This malware is also known as “XVFXGW” ransomware. The name PXJ is derived from the file extension that is appended to encrypted files, whereas the alternative name, XVFXGW, is based off both the mutex the malware creates, “XVFXGW DOUBLE SET,” and the email addresses listed in the ransom note, which are “[email protected]” and “[email protected]

This code has emerged in the wild in early 2020, and while it performs functions common to most ransomware, it does not appear to share underlying code with known ransomware families. Of the two samples we have analyzed so far, one was packed using UPX, an open-source executable packer, while the other did not leverage any packing.

This post sheds some light on what we found in our labs.

PXJ’s Initial Actions

Much like other ransomware, PXJ begins by disabling the user’s ability to recover any files from deleted stores and shadow copies.

First, the Recycle Bin is emptied using the “SHEmptyRecycleBinW” function. Next, a series of commands are executed to prevent the recovery of data after it has been encrypted. Specifically, the steps taken at this stage include the deletion of volume shadow copies and the disabling of the Windows Error Recovery service.

The following are the specific commands executed by PXJ ransomware:

vssadmin.exe delete shadows /all /quiet

bcdedit.exe /set {default} recoveryenabled no

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

bcdedit.exe /set {current} recoveryenabled no

bcdedit.exe /set {current} bootstatuspolicy ignoreallfailures

After these tasks are complete, the file encryption process begins. According to the ransom note, that process includes encrypting photos and images, databases, documents, videos and other files on the device.

Double Encryption

To prevent potential recovery by breaking the encryption, PXJ uses both AES and RSA algorithms to lock data down, a practice that is quite common. Many ransomware codes begin by encrypting files with the AES algorithm, a symmetric cipher, because it can encrypt files faster, helping finish the task before the malicious process can be interrupted. The AES key is then encrypted with the stronger asymmetric key, in this case, the RSA crypto-system.

Ransom Note Dropped

With encryption complete, the ransom note is dropped as a file named “LOOK.txt” and requests that the user contact the operator via email to pay the ransom in exchange for the decryption key. The attacker demands payment in bitcoin and threatens victims that if they do not pay immediately, the ransom amount will double every day after the first three days. Within one week, the decryption key will supposedly be destroyed, which will leave the victim unable to ever recover the encrypted files and data.

Figure 1: A sample ransom note dropped by PXJ ransomware (Source: IBM X-Force)

New PXJ Samples See Network Communication Check Added

On February 29, 2020, X-Force IRIS identified two new PXJ ransomware samples that were uploaded to VirusTotal by a user from the community. Having examined those new files, we noted that the mutex, attacker email addresses and dropped files all appear to remain the same. However, a significant addition to the malware involved the presence of network communication.

The URLs contain a parameter called “token” with a Base-64 encoded value, decoded examples of which include:

K 2020/2/29 20:41:7 uzjdbtjjska AAABANIx93RdufO4

K 2020/3/2 0:37:25 lttylhecm AAABANIx93RdufO4

Our hypothesis is that this may be some sort of traffic check given the lack of payload and the presence of multiple GET requests that include timestamps; however, this has not yet been confirmed. No additional payload appears to be included in the GET request sent to these URLs and the remote server simply returns “0” in response.

A dropped file named “Res.AAABANIx93RdufO4” is present in both the old and new samples. As we work to determine the purpose of this file, please note that the ransom note requests that victims do not delete this file, which leads us to hypothesize that this file may be used in the decryption process.

Network indicators, as well as the additional hashes, have been added to our report on X-Force Exchange.

Ransomware and Extortion Attacks Continue to Rise

The emergence of new ransomware strains is almost a daily occurrence nowadays, facilitated by the ability of new threat actors to buy ransomware for a low cost or even obtain code for free on some forums. Additionally, organized cybercrime gangs use ransomware to extort organizations and force them to negotiate ransom amounts to the tune of millions of dollars in each case.

Want to keep up to date on the latest threat intelligence? Join us on X-Force Exchange and read our research blogs on SecurityIntelligence.

Indicators of Compromise (IoCs)

File hashes (SHA256) analyzed for this post:



Network indicators:



IoCs and Yara rules for this malware can be found on X-Force Exchange.

Learn more about IBM Security X-Force’s threat intelligence and incident response services.

More from Malware

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…

Raspberry Robin and Dridex: Two Birds of a Feather

IBM Security Managed Detection and Response (MDR) observations coupled with IBM Security X-Force malware research sheds additional light on the mysterious objectives of the operators behind the Raspberry Robin worm. Based on a comparative analysis between a downloaded Raspberry Robin DLL and a Dridex malware loader, the results show that they are similar in structure and functionality. Thus, IBM Security research draws another link between the Raspberry Robin infections and the Russia-based cybercriminal group 'Evil Corp,' which is the same…