Researchers have discovered a new strain of ransomware, dubbed “PXJ,” which emerged in the wild in early 2020.
While PXJ performs functions similar to other ransomware variants, it does not appear to share the same underlying code with most known ransomware families, researchers said. They first identified PXJ on Feb. 29, after discovering two samples that were uploaded to VirusTotal by a user from the community.
“The emergence of new ransomware strains is almost a daily occurrence nowadays, facilitated by the ability of new threat actors to buy ransomware for a low cost or even obtain code for free on some forums,” said Megan Roddie, cyber-threat researcher with IBM X-Force
in a Thursday post. “Additionally, organized cybercrime gangs use ransomware to extort organizations and force them to negotiate ransom amounts to the tune of millions of dollars in each case.”
Roddie told Threatpost that at this time, the initial infection vector of the ransomware is unknown. Similar to other ransomware strains, once it infects a system, PXJ starts its attack chain by disabling the victim’s ability to recover files from deleted stores. It empties the recycle bin (using the “SHEmptyRecycleBinW” function), and then executes a series of commands to prevent the recovery of data that’s been encrypted. These include deleting volume shadow copies, which can create backup copies in Microsoft Windows, and disabling the Windows Error Recovery service.
Then the ransomware begins the file encryption process. Based on the ransom note, researchers were able to glean that the encryption process includes encrypting photos and images, databases, documents, videos and other files on the device. PXJ uses double encryption (both AES and RSA algorithms) to lock data down, which researchers said is a practice that is quite common to prevent potential recovery by breaking the encryption.
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}