Researchers Warn of Novel PXJ Ransomware Strain

pxj ransomware

While PXJ performs typical ransomware functions, it does not appear to share the same underlying code with most known ransomware families.

Researchers have discovered a new strain of ransomware, dubbed “PXJ,” which emerged in the wild in early 2020.

While PXJ performs functions similar to other ransomware variants, it does not appear to share the same underlying code with most known ransomware families, researchers said. They first identified PXJ on Feb. 29, after discovering two samples that were uploaded to VirusTotal by a user from the community.

“The emergence of new ransomware strains is almost a daily occurrence nowadays, facilitated by the ability of new threat actors to buy ransomware for a low cost or even obtain code for free on some forums,” said Megan Roddie, cyber-threat researcher with IBM X-Force in a Thursday post. “Additionally, organized cybercrime gangs use ransomware to extort organizations and force them to negotiate ransom amounts to the tune of millions of dollars in each case.”

Attack Process

Roddie told Threatpost that at this time, the initial infection vector of the ransomware is unknown. Similar to other ransomware strains, once it infects a system, PXJ starts its attack chain by disabling the victim’s ability to recover files from deleted stores. It empties the recycle bin (using the “SHEmptyRecycleBinW” function), and then executes a series of commands to prevent the recovery of data that’s been encrypted. These include deleting volume shadow copies, which can create backup copies in Microsoft Windows, and disabling the Windows Error Recovery service.

Then the ransomware begins the file encryption process. Based on the ransom note, researchers were able to glean that the encryption process includes encrypting photos and images, databases, documents, videos and other files on the device. PXJ uses double encryption (both AES and RSA algorithms) to lock data down, which researchers said is a practice that is quite common to prevent potential recovery by breaking the encryption.

“Many ransomware codes begin by encrypting files with the AES algorithm, a symmetric cipher, because it can encrypt files faster, helping finish the task before the malicious process can be interrupted,” said researchers. “The AES key is then encrypted with the stronger asymmetric key, in this case, the RSA crypto-system.”

After encrypting the data, the ransomware then drops the ransom note into a file (called “LOOK.txt”), which requests that the victim contact the attacker via email to pay the ransom, in exchange for the decryption key.

To lay on the severity of the situation, the attacker threatens that if victims do not pay (in Bitcoin), the ransom amount will double every day after the first three days. The attacker also tells victims that within one week, the decryption key will supposedly be destroyed, which will leave the victim unable to ever recover the encrypted files and data.

Shifting Tactics

Upon examining the two new ransomware samples uploaded to VirusTotal, researchers said they noticed that the attacker email addresses, dropped files and mutex (a mutual exclusion object that allows multiple program threads to share the same resource, such as file access, but not simultaneously) all appeared to be the same between the two.

However, a new network communication was found in one of the samples that wasn’t in the other, signifying an evolution between the two. Specifically, the URLs in one of the samples contained a traffic check parameter called “token” with a Base-64 encoded value. Given the traffic was minimal, Roddie said in an email to Threatpost that she hypothesizes that the parameter was simply signaling to the operators that a host has been infected. Without the network communication, the operators don’t know if a host was infected unless the victim contacts them when they find the ransom note – so a simple token sent to their server lets them know that there is a victim, she said.

“Our hypothesis is that this may be some sort of traffic check given the lack of payload and the presence of multiple GET requests that include timestamps; however, this has not yet been confirmed,” said researchers. “No additional payload appears to be included in the GET request sent to these URLs and the remote server simply returns ‘0’ in response.”

Roddie said, businesses can protect themselves by following all best practices associated with defending against any ransomware family. Ransomware continues to be a profitable attack vector for cybercriminals. Microsoft recently warned that ransomware variants like REvilBitpaymer, and Ryuk are adopting new techniques that are enabling them to operate unfettered in networks. Ransomware attacks have also led to widescale disruption in pipelines, telemarketing firms, and city governments.

Interested in security for the Internet of Things and how 5G will change things? Join our free Threatpost webinar, “5G, the Olympics and Next-Gen Security Challenges,” as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. Register here.

Suggested articles