Recently, security researchers warned of a new strain of PXJ Ransomware. Read on to know more about it…
Recently, security researchers warned of a new strain of PXJ ransomware which emerged in the wild in early 2020. It was first identified on February 29, after researchers analyzed two samples that were uploaded to VirusTotal by a community user.
Researchers reported the new malware strain with similar ransomware functions. It was first identified on February 29, after researchers analyzed two samples that were uploaded to VirusTotal by a community user. However, the initial infection vector of the ransomware is unknown. It supports functions similar to other ransomware families. The experts spotted the ransomware for the first time on February 29, when two samples that were uploaded to VirusTotal.
The name PXJ ransomware comes from the file extension that it appends to encrypted files. The malware is also known as XVFXGW, a name that derived from both the the malware creates, “XVFXGW DOUBLE SET,” and the email addresses included in the ransom note (“firstname.lastname@example.org” and “email@example.com”).
PXJ begins its attack chain as soon as it infects a system. It first attempts to disable the victim’s ability to recover files from deleted stores. It then empties the recycle bin using the “SHEmptyRecycleBinW” function. In the next step, it runs a series of commands to prevent data backup for data to be encrypted. Now, the file encryption process begins. After encryption, the ransomware drops the ransom note into a file (called “LOOK.txt”), requesting victims to get in touch to pay the ransom in exchange for the decryption key.
Ransom note revealed a few secrets to the researchers. On the basis of the ransom note, it was concluded that photos and images, databases, documents, videos and other files on the device got affected in the attack. It was noted that PXJ used double encryption (both AES and RSA algorithms) to lock down all the user data. This practice is quite common among attackers to prevent potential recovery by disabling the encryption.
Researchers remarked, “Many ransomware codes begin by encrypting files with the AES algorithm, a symmetric cipher, because it can encrypt files faster, helping finish the task before the malicious process can be interrupted. The AES key is then encrypted with the stronger asymmetric key, in this case, the RSA crypto-system.”
Additional Key Observations
The security researchers said that the attacker’s email addresses, dropped files, and mutex all appeared to be the same between the two. However, a new network communication was found in one of the samples. The URLs in one of the samples contained a traffic check parameter called “token” with a Base-64 encoded value. The parameter, as the researcher hypothesized in its finding, was for signaling the operators when a host gets infected (at the time of minimal traffic).
“Our hypothesis is that this may be some sort of traffic check given the lack of payload and the presence of multiple GET requests that include timestamps; however, this has not yet been confirmed. No additional payload appears to be included in the GET request sent to these URLs and the remote server simply returns ‘0’ in response,” the researchers concluded.