A new ransomware strain called PXJ ransomware (also known as XVFXGW ransomware) was first discovered in late February 2020.[1] Half of the known samples were uploaded from Korea, and it uses a Korean website for a C2, showing predominantly Asian targeting.
Details
The earliest PXJ ransomware sample is from 24 February 2020. It received its name for the .pxj extension that it adds to the files it encrypts. Its alternative name, XVFXGW, refers to the strings in two contact emails (xvfxgw3929@protonmail.com, xvfxgw213@decoymail.com) and in the mutex that it creates (See the Indicators table below).
Prior to encryption, PXJ empties the Recycle Bin, deletes volume shadow copies and disables the Windows Error Recovery service. Then PXJ uses both AES and RSA algorithms to lock data down.[2]
Figure 1. PXJ ransom note stored in LOOK.txt [3]
Red Sky Alliance detected C2 communication with a Korean site (pediitn[.]co[.]kr) co-hosted on a Korean IP. Hackers likely temporarily compromised this domain, belonging to a Korean pedicure company, and secretly hosted a malicious .php page within the site.
Half of the samples were submitted from Korea, as well as one from China, and one from France. Red Sky Alliance will continue to monitor if PXJ ransomware will become a larger threat.
Indicators
|
Indicator |
Type |
Kill_Chain_Phase |
First_Seen |
Last_Seen |
Comments |
Attribution |
|
http[://]pediitn[.]co[.]kr/bbs/do.php?token_value=syajidiwmjavmy8xnca5ojq3ojmxiakgqu5btfltvdatmkqxnjcxiakgqufbqkfosxg5m1jkdwzpna== |
URL |
C2 |
02/29/2020 |
03/17/2020 |
|
PXJ Ransomware |
|
SyAJIDIwMjAvMy8xIDM6NTg6NTggCSBpY2Z3cmhpIAkgQUFBQkFOSXg5M1JkdWZPNA |
String |
C2 |
02/29/2020 |
02/29/2020 |
Token_value |
PXJ Ransomware |
|
syajidiwmjavmy8xidm6ntk6mzggcsbbtkfmwvnumc0yrde2nzegcsbbqufcqu5jedkzumr1zk80 |
String |
C2 |
03/01/2020 |
03/01/2020 |
Token_value |
PXJ Ransomware |
|
XVFXGW DOUBLE SET |
String |
Exploitation |
02/29/2020 |
03/17/2020 |
Mutexes Created |
PXJ Ransomware |
|
64fdcb90411440bc44970d1ecce60686b85df54ed552abf312947207ea654dce |
SHA256 |
Delivery |
02/29/2020 |
02/29/2020 |
|
PXJ Ransomware |
|
c5697c0166f9b18ee157bcdde9fb2f531892d62076b4fa3664adf0065598ebf7 |
SHA256 |
Delivery |
02/29/2020 |
02/29/2020 |
|
PXJ Ransomware |
|
9a4e4211f7e690ee4a520c491ef7766dcf1cc9859afa991e15538e92b435f3a1 |
SHA256 |
Delivery |
02/24/2020 |
02/24/2020 |
|
PXJ Ransomware |
|
58673f5c9344f510703ffda908c7e7830f36905015529ab629479c6bf44236e9 |
SHA256 |
NA |
02/25/2020 |
02/29/2020 |
|
PXJ Ransomware |
|
xvfxgw3929@protonmail.com |
|
Actions and Objectives |
03/19/2019 |
03/19/2019 |
|
PXJ Ransomware |
|
xvfxgw213@decoymail.com |
|
Actions and Objectives |
03/19/2019 |
03/19/2019 |
|
PXJ Ransomware |
Red Sky Alliance partners with Cysurance to protect you from the PXJ ransomware and other cyber risks by supplementing security technology with robust cyber insurance.
Red Sky Alliance is in New Boston, NH. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com
Serial: IR-20-078-001
Country: KR, CN, FR
Report Date: 20200318
Industries: All
[1] Primary analysis from IBM X-Force IRIS
[2] securityintelligence.com/posts/pxj-ransomware-campaign-identified-by-x-force-iris/
[3] twitter.com/Amigo_A_/status/1232221881002057728
Comments