Ransomware has become one of the most profitable types of malware in the hands of cybercriminals, with reported cybercrime losses tripling in the last five years, according to the FBI. A constant flow of new and reused code in this realm continues to flood both consumers and organizations who fight to prevent infections, respond to attacks and often resort to paying the criminals.
In a recent analysis from IBM’s X-Force Incident Response and Intelligence Services (IRIS), our team discovered activity related to a new strain of ransomware known as “PXJ” ransomware. This malware is also known as “XVFXGW” ransomware. The name PXJ is derived from the file extension that is appended to encrypted files, whereas the alternative name, XVFXGW, is based off both the mutex the malware creates, “XVFXGW DOUBLE SET,” and the email addresses listed in the ransom note, which are “[email protected]” and “[email protected]”
This code has emerged in the wild in early 2020, and while it performs functions common to most ransomware, it does not appear to share underlying code with known ransomware families. Of the two samples we have analyzed so far, one was packed using UPX, an open-source executable packer, while the other did not leverage any packing.
This post sheds some light on what we found in our labs.
PXJ’s Initial Actions
Much like other ransomware, PXJ begins by disabling th ..
Support the originator by clicking the read the rest link below.
