Security Affairs
OpenSSL Fixes HollowByte Memory Exhaustion Bug|Daxin: 13-Year-Old China-Linked Malware Found Still Active on Manufacturer’s Network|U.S. CISA adds Fortinet FortiSandbox and Microsoft SharePoint flaws to its Known Exploited Vulnerabilities catalog|Ernst & Young (EY) Investigates Data Breach Involving Third-Party Support Tickets|A cyberattack hit Nichirei, one of Japan’s largest food companies|New Russian Campaign Uses Fake Webex and Zoom Installers to Deploy Starland RAT|U.S. CISA adds KNX Association KNX Protocol Connection Authorization Option 1 and Oracle flaws to its Known Exploited Vulnerabilities catalog|Two Scattered Spider Members Sentenced to Prison Over £29 Million TfL Cyberattack|TuxBot v3: The IoT Botnet Built With AI – Bugs, Disclaimers and All|Claude Code and DeepSeek Powered Chinese Cyber Espionage Campaign|Zoom Fixes CVE-2026-53412, a Critical Account Takeover Bug|US and allied Governments’ Recommendations: Securing Network Devices Against Russian APT Groups|OpenSSL Fixes HollowByte Memory Exhaustion Bug|Daxin: 13-Year-Old China-Linked Malware Found Still Active on Manufacturer’s Network|U.S. CISA adds Fortinet FortiSandbox and Microsoft SharePoint flaws to its Known Exploited Vulnerabilities catalog|Ernst & Young (EY) Investigates Data Breach Involving Third-Party Support Tickets|A cyberattack hit Nichirei, one of Japan’s largest food companies|New Russian Campaign Uses Fake Webex and Zoom Installers to Deploy Starland RAT|U.S. CISA adds KNX Association KNX Protocol Connection Authorization Option 1 and Oracle flaws to its Known Exploited Vulnerabilities catalog|Two Scattered Spider Members Sentenced to Prison Over £29 Million TfL Cyberattack|TuxBot v3: The IoT Botnet Built With AI – Bugs, Disclaimers and All|Claude Code and DeepSeek Powered Chinese Cyber Espionage Campaign|Zoom Fixes CVE-2026-53412, a Critical Account Takeover Bug|US and allied Governments’ Recommendations: Securing Network Devices Against Russian APT Groups|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Experts warn of a new strain of ransomware, the PXJ Ransomware

Experts warn of a new malware strain, dubbed PXJ Ransomware, that does share the same underlying code with existing ransomware families. Security experts from IBM X-Force have spotted a new strain of ransomware, dubbed PXJ Ransomware, that does share the same code with other known ransomware families. While PXJ performs typical ransomware functions, it does […]

PXJ Ransomware

Experts warn of a new malware strain, dubbed PXJ Ransomware, that does share the same underlying code with existing ransomware families.

Security experts from IBM X-Force have spotted a new strain of ransomware, dubbed PXJ Ransomware, that does share the same code with other known ransomware families.

While PXJ performs typical ransomware functions, it does not appear to share the same underlying code with most known ransomware families.

The PXJ ransomware first appeared in the threat landscape in early 2020, it supports functions similar to other ransomware families. The experts spotted the ransomware for the first time on February 29, when two samples that were uploaded to VirusTotal.

The name PXJ ransomware comes from the file extension that it appends to encrypted files. The malware is also known as XVFXGW, a name that derived from both the the malware creates, “XVFXGW DOUBLE SET,” and the email addresses included in the ransom note (“xvfxgw3929@protonmail.com” and “xvfxgw213@decoymail.com”).

“This code has emerged in the wild in early 2020, and while it performs functions common to most ransomware, it does not appear to share underlying code with known ransomware families.” reads the analysis post by IBM X-Force.

Only one of the two samples analyzed by the researchers was packed using the open-source executable packer UPX.

At the time, experts have yet to determine the initial infection vector of the ransomware. Like other ransomware families, PXJ ransomware begins by disabling the user’s ability to recover any files from deleted stores and shadow copies.

Then the malware starts encrypting the victims’ files, it is able to target photos and images, databases, documents, videos, and other files.

The PXJ ransomware uses both AES and RSA algorithms to encrypt the data, the technique is common to other threats.

“Many ransomware codes begin by encrypting files with the AES algorithm, a symmetric cipher, because it can encrypt files faster, helping finish the task before the malicious process can be interrupted,” continues the analysis. “The AES key is then encrypted with the stronger asymmetric key, in this case, the RSA crypto-system.”

Once the encryption process is concluded, the ransomware will drop the ransom note into a file (called “LOOK.txt”), which instructs the victim to contact the attacker via email to receive information on the procedure to pay the ransom (in Bitcoin).

If victims do not pay, the ransom amount will double every day after the first three days, the attackers also threaten the victims that after a week, the decryption key will be destroyed, making it impossible to recover the encrypted files.

The two samples analyzed by the experts differ in the use of network communication that is present only in one sample. The network connection allows operators to determine if a machine was infected before it will be contacted by the victims.

Experts noticed that the URLs in one of the samples contained a sort of traffic check parameter called “token” with a Base-64 encoded value. 

“Our hypothesis is that this may be some sort of traffic check given the lack of payload and the presence of multiple GET requests that include timestamps; however, this has not yet been confirmed. No additional payload appears to be included in the GET request sent to these URLs and the remote server simply returns “0” in response.” continues the analysis.

Technical details about the PXJ Ransomware, including Indicators of Compromise (IoCs), are reported in the analysis published by IBM X-Force.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, PXJ ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]