4157799936?profile=RESIZE_710xA new ransomware strain called PXJ ransomware (also known as XVFXGW ransomware) was first discovered in late February 2020.[1]  Half of the known samples were uploaded from Korea, and it uses a Korean website for a C2, showing predominantly Asian targeting.

Details

The earliest PXJ ransomware sample is from 24 February 2020.  It received its name for the .pxj extension that it adds to the files it encrypts.  Its alternative name, XVFXGW, refers to the strings in two contact emails (xvfxgw3929@protonmail.com, xvfxgw213@decoymail.com) and in the mutex that it creates (See the Indicators table below).

 

 

 

 

 

 

Prior to encryption, PXJ empties the Recycle Bin, deletes volume shadow copies and disables the Windows Error Recovery service.  Then PXJ uses both AES and RSA algorithms to lock data down.[2]

4157863642?profile=RESIZE_710x

Figure 1. PXJ ransom note stored in LOOK.txt [3]

 

Red Sky Alliance detected C2 communication with a Korean site (pediitn[.]co[.]kr) co-hosted on a Korean IP.  Hackers likely temporarily compromised this domain, belonging to a Korean pedicure company, and secretly hosted a malicious .php page within the site. 

Half of the samples were submitted from Korea, as well as one from China, and one from France.  Red Sky Alliance will continue to monitor if PXJ ransomware will become a larger threat.

Indicators

Indicator

Type

Kill_Chain_Phase

First_Seen

Last_Seen

Comments

Attribution

http[://]pediitn[.]co[.]kr/bbs/do.php?token_value=syajidiwmjavmy8xnca5ojq3ojmxiakgqu5btfltvdatmkqxnjcxiakgqufbqkfosxg5m1jkdwzpna==

URL

C2

02/29/2020

03/17/2020

 

PXJ Ransomware

SyAJIDIwMjAvMy8xIDM6NTg6NTggCSBpY2Z3cmhpIAkgQUFBQkFOSXg5M1JkdWZPNA

String

C2

02/29/2020

02/29/2020

Token_value

PXJ Ransomware

syajidiwmjavmy8xidm6ntk6mzggcsbbtkfmwvnumc0yrde2nzegcsbbqufcqu5jedkzumr1zk80

String

C2

03/01/2020

03/01/2020

Token_value

PXJ Ransomware

XVFXGW DOUBLE SET

String

Exploitation

02/29/2020

03/17/2020

Mutexes Created

PXJ Ransomware

64fdcb90411440bc44970d1ecce60686b85df54ed552abf312947207ea654dce

SHA256

Delivery

02/29/2020

02/29/2020

 

PXJ Ransomware

c5697c0166f9b18ee157bcdde9fb2f531892d62076b4fa3664adf0065598ebf7

SHA256

Delivery

02/29/2020

02/29/2020

 

PXJ Ransomware

9a4e4211f7e690ee4a520c491ef7766dcf1cc9859afa991e15538e92b435f3a1

SHA256

Delivery

02/24/2020

02/24/2020

 

PXJ Ransomware

58673f5c9344f510703ffda908c7e7830f36905015529ab629479c6bf44236e9

SHA256

NA

02/25/2020

02/29/2020

 

PXJ Ransomware

xvfxgw3929@protonmail.com

Email

Actions and Objectives

03/19/2019

03/19/2019

 

PXJ Ransomware

xvfxgw213@decoymail.com

Email

Actions and Objectives

03/19/2019

03/19/2019

 

PXJ Ransomware

 

Red Sky Alliance partners with Cysurance to protect you from the PXJ ransomware and other cyber risks by supplementing security technology with robust cyber insurance.

Red Sky Alliance is in New Boston, NH.  We are a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com

Serial: IR-20-078-001

Country: KR, CN, FR

Report Date: 20200318

Industries: All

[1] Primary analysis from IBM X-Force IRIS

[2] securityintelligence.com/posts/pxj-ransomware-campaign-identified-by-x-force-iris/

[3] twitter.com/Amigo_A_/status/1232221881002057728

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance