Experts warn of a new malware strain, dubbed PXJ Ransomware, that does share the same underlying code with existing ransomware families.

Security experts from IBM X-Force have spotted a new strain of ransomware, dubbed PXJ Ransomware, that does share the same code with other known ransomware families.

While PXJ performs typical ransomware functions, it does not appear to share the same underlying code with most known ransomware families.

The PXJ ransomware first appeared in the threat landscape in early 2020, it supports functions similar to other ransomware families. The experts spotted the ransomware for the first time on February 29, when two samples that were uploaded to VirusTotal.

The name PXJ ransomware comes from the file extension that it appends to encrypted files. The malware is also known as XVFXGW, a name that derived from both the the malware creates, “XVFXGW DOUBLE SET,” and the email addresses included in the ransom note (“xvfxgw3929@protonmail.com” and “xvfxgw213@decoymail.com”).

“This code has emerged in the wild in early 2020, and while it performs functions common to most ransomware, it does not appear to share underlying code with known ransomware families.” reads the analysis post by IBM X-Force.

Only one of the two samples analyzed by the researchers was packed using the open-source executable packer UPX.

At the time, experts have yet to determine the initial infection vector of the ransomware. Like other ransomware families, PXJ ransomware begins by disabling the user’s ability to recover any files from deleted stores and shadow copies.

Then the malware starts encrypting the victims’ files, it is able to target photos and images, databases, documents, videos, and other files.

The PXJ ransomware uses both AES and RSA algorithms to encrypt the data, the technique is common to other threats.

“Many ransomware codes begin by encrypting files with the AES algorithm, a symmetric cipher, because it can encrypt files faster, helping finish the task before the malicious process can be interrupted,” continues the analysis. “The AES key is then encrypted with the stronger asymmetric key, in this case, the RSA crypto-system.”

Once the encryption process is concluded, the ransomware will drop the ransom note into a file (called “LOOK.txt”), which instructs the victim to contact the attacker via email to receive information on the procedure to pay the ransom (in Bitcoin).

If victims do not pay, the ransom amount will double every day after the first three days, the attackers also threaten the victims that after a week, the decryption key will be destroyed, making it impossible to recover the encrypted files.

The two samples analyzed by the experts differ in the use of network communication that is present only in one sample. The network connection allows operators to determine if a machine was infected before it will be contacted by the victims.

Experts noticed that the URLs in one of the samples contained a sort of traffic check parameter called “token” with a Base-64 encoded value.

“Our hypothesis is that this may be some sort of traffic check given the lack of payload and the presence of multiple GET requests that include timestamps; however, this has not yet been confirmed. No additional payload appears to be included in the GET request sent to these URLs and the remote server simply returns “0” in response.” continues the analysis.

Technical details about the PXJ Ransomware, including Indicators of Compromise (IoCs), are reported in the analysis published by IBM X-Force.

Pierluigi Paganini