Researchers Discover New PXJ Ransomware Strain

  • It was first identified on February 29, after researchers analyzed two samples that were uploaded to VirusTotal by a community user.
  • Researchers noted that PXJ used double encryption (both AES and RSA algorithms) to lock down all the data.

Researchers discovered a new strain of ransomware dubbed “PXJ,” whose underlying code differentiates it from the most known ransomware families.

What do we know?
Researchers reported the new malware strain with similar ransomware functions.

  • It was first identified on February 29, after researchers analyzed two samples that were uploaded to VirusTotal by a community user.
  • However, the initial infection vector of the ransomware is unknown.

What is its attack process?
PXJ begins its attack chain as soon as it infects a system.

  • It first attempts to disable the victim’s ability to recover files from deleted stores. 
  • It then empties the recycle bin using the “SHEmptyRecycleBinW” function.
  • In the next step, it runs a series of commands to prevent data backup for data to be encrypted. Now, the file encryption process begins.
  • After encryption, the ransomware drops the ransom note into a file (called “LOOK.txt”), requesting victims to get in touch to pay the ransom in exchange for the decryption key.

After-attack analysis
Ransom note revealed a few secrets to the researchers.

  • On the basis of the ransom note, it was concluded that photos and images, databases, documents, videos and other files on the device got affected in the attack.
  • It was noted that PXJ used double encryption (both AES and RSA algorithms) to lock down all the user data.
  • This practice is quite common among attackers to prevent potential recovery by disabling the encryption.

Researchers remarked, “Many ransomware codes begin by encrypting files with the AES algorithm, a symmetric cipher, because it can encrypt files faster, helping finish the task before the malicious process can be interrupted. The AES key is then encrypted with the stronger asymmetric key, in this case, the RSA crypto-system.”

Additional key observations
The researchers said that the attacker’s email addresses, dropped files, and mutex all appeared to be the same between the two.

  • However, a new network communication was found in one of the samples.
  • The URLs in one of the samples contained a traffic check parameter called “token” with a Base-64 encoded value.
  • The parameter, as the researcher hypothesized in its finding, was for signaling the operators when a host gets infected (at the time of minimal traffic).

“Our hypothesis is that this may be some sort of traffic check given the lack of payload and the presence of multiple GET requests that include timestamps; however, this has not yet been confirmed. No additional payload appears to be included in the GET request sent to these URLs and the remote server simply returns ‘0’ in response,” the researchers concluded.