PXJ Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Threat Level: | 100 % (High) |
| Infected Computers: | 9 |
| First Seen: | January 19, 2011 |
| Last Seen: | March 24, 2020 |
| OS(es) Affected: | Windows |
Ransomware continues to be one of the most profitable choices for hackers and threat actors. The losses caused by ransomware keep piling up, with the FBI reporting that damages from ransomware have tripled in the past five years alone. The problem is that new ransomware and cyber threats are emerging every day. Each day more individuals and corporations become the victims of these attacks. Sometimes they feel they have no choice but to pay off the attacker and hope for the best, especially in high-stakes environments like hospitals and municipal government buildings.
The number of cyber threats only continues to grow, with The X-Force Incident Response and Intelligence Service (IRIS) from IBM discovering what they call the "PXJ" ransomware. PXJ falls into the "XVFXGW" family of ransomware. The name for the virus comes from the file extension it applies to the infected files, as well as from the mutex created by the malware. The email address listed in the ransom note also contains "xvfgw" with payments sent to xvfxgw2929@protonmail.com.
The ransomware code came to light at the start of the year. While it behaves similarly to most other kinds of ransomware, it doesn’t have the same underlying code as different ransomware strains. Two samples of PXJ have been found and analyzed so far. One of them was made using UPX, and the other was made with no kind of packing. As variants of the Dharma Ransomware, the STOP Ransomware, and even the old Hidden Tear pepper the threat landscape for years at a time, independent trojans are oft-overlooked but remain present.
Table of Contents
What Does PXJ Do?
PJX behaves similarly to other ransomware. It locks users out of their files and information and deletes shadow copies of backups to make recovery more difficult.
The first thing the virus does is empty the Recycle Bin. Then it runs a series of commands to encrypt data and make it more difficult to recover. In particular, it disables Windows Error Recovery and deletes shadow volume copies of data.
The actual list of commands it runs to do all this are as follows:
- vssadmin.exe delete shadows /all /quiet
- bcdedit.exe /set {default} recoveryenabled no
- bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
- bcdedit.exe /set {current} recoveryenabled no
- bcdedit.exe /set {current} bootstatuspolicy ignoreallfailures
Last but not least, it encrypts the information on the computer. It focuses on encrypting documents, images, databases, videos, and other personal files on a device. It drops a ransom note in infected folders and on the desktop that contains instructions on how to restore data.
Powerful Encryption Prevents Access to Files
The creators behind PXJ took steps to make sure that users wouldn’t be able to decrypt the information themselves simply. Files are locked down with both AES and RSA encryption algorithms, which is fairly common practice for ransomware. Ransomware will encrypt data using standard AES symmetric encryption, which is the fastest form of encryption. They take advantage of the quick nature of AES algorithms to ensure the process is completed before it can be detected and stopped. After being encrypted with AES, the files are encrypted again using RSA crypto encryption for a double whammy of data locking.
The PJX ransom note
Hello.
All your files like photos, databases, videos, documents and other importants are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you.
Guarantee: You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only one for free. File must not contain valuable information.
If you do not contact us within 3 days, the price will double every day. And if you do not get in touch for a week, your files will be lost forever.
Our mail address: xvfxgw3929@protonmail.com
Reserved mail address: xvfxgw213@decoymail.com
As you can see, the ransom note demands that users contact the hacker through email. The hacker will then tell them how much they need to pay to receive the decryption key and restore their lost files. They are also threatened and told that if they don’t pay the money fast enough, the ransom will increase dramatically. In this case, the ransom is set to double every day after the third day without payment. The hacker warns they will delete the decryption key after a week which would mean the victim is completely unable to restore any locked data and files.
New PXJ Strain Adds Network Communications Check
IBM found two new strains of PXJ uploaded to the internet by a community member. They examined the files and noticed that almost everything about the virus was the same. The main difference between the new samples was it checked to see if the computer was connected to the internet or not.
The URLs in the code contain a "token" parameter with a Base-64 encoded value. Once decoded, they were shown to include:
- K 2020/2/29 20:41:7 uzjdbtjjska AAABANIx93RdufO4
- K 2020/3/2 0:37:25 lttylhecm AAABANIx93RdufO4
Researchers believe that this could be a kind of traffic check given that there isn’t any payload attached to the code and the presence of GET requests. Researchers have yet to be fully confirmed or denied this, though, and it is merely a hypothesis. The GET request to the URL doesn’t appear to contain any kind of payload, only returning a response of "0".
Another thing to note about the virus is the presence of a file called "Res.AAABANIx93RdufO4". Researchers are unsure of the exact purpose of this file, but the ransom note does request that users don’t delete it. That leads us to believe that it could be a part of the decryption process, assuming the attackers are honest about being willing and able to decrypt files.
Ransomware like PJX is On the Rise
It seems like we can’t go a day without some new ransomware threat appearing. Part of the reason for this is the emergence of "ransomware-as-a-service"; people are buying ransomware strains and then employing them without having to make the virus themselves. Ransomware has been used to extort a lot of money and cripple businesses and individuals alike. Be sure to take steps to protect yourself against online threats like PXJ ransomware.
