Security experts from IBM X-Force
While PXJ performs typical ransomware functions, it does not appear to share the same underlying code with most known ransomware families.
The PXJ ransomware first appeared
The name PXJ ransomware comes from the file extension that it appends to encrypted files. The malware is also known as XVFXGW, a name that derived from both
“This code has emerged in the wild in early 2020, and while it performs functions common to most ransomware, it does not appear to share underlying code with known ransomware families.” reads the analysis post by IBM X-Force.
Only one of the two samples analyzed by the researchers was packed using the open-source executable packer UPX.
At the time, experts have yet to determine the initial infection vector of the ransomware. Like other ransomware families, PXJ ransomware begins by disabling the user’s ability to recover any files from deleted stores and shadow copies.
Then the malware starts encrypting the victims’ files, it is able to target photos and images, databases, documents, videos, and other files.
The PXJ ransomware uses both AES and RSA algorithms to encrypt the data, the technique is common to other threats.
“Many ransomware codes begin by encrypting files with the AES algorithm, a symmetric cipher, because it can encrypt files faster, helping finish the task before the malicious process can be interrupted,” continues the analysis. “The AES key is then encrypted with the stronger asymmetric key, in this case, the RSA crypto-system.”
Once the encryption process is concluded, the ransomware will drop the ransom note into a file (called “LOOK.txt”), which instructs the victim to contact the attacker via email to receive information on the procedure to pay the ransom (in Bitcoin).
If victims do not pay, the ransom amount will double every day after the first three days, the attackers also threaten the victims that after a week, the decryption key will be destroyed, making it impossible to recover the encrypted files.
The two samples analyzed by the experts differ in the use of network communication that is present only in one sample. The network connection allows operators to determine if a machine was infected before it will be contacted by the victims.
Experts noticed that the URLs in one of the samples contained a sort of traffic check parameter called “token” with a Base-64 encoded value.
“Our hypothesis is that this may be some sort of traffic check given the lack of payload and the presence of multiple GET requests that include timestamps; however, this has not yet been confirmed. No additional payload appears to be included in the GET request sent to these URLs and the remote server simply returns “0” in response.” continues the analysis.
Technical details about the PXJ Ransomware, including Indicators of Compromise (IoCs), are reported in the analysis published by IBM X-Force.