LTS Secure Warning: Taking A Look At PXJ Ransomware

A new strain of ransomware, dubbed “PXJ”, has been identified by researchers. PXJ, performs functions that are common to most ransomware that are out there, but its underlying code does not appear to be similar to any of the known ransomware families.

Technical Details

The initial infection vector used by the ransomware is still unknown, but the post infection stage is mostly similar to other ransomware strains.

Its attack chain is as follows:-

• Disables victim’s ability to recover any file from shadow copies on deleted stores.
• “SHEmptyRecycleBinW” function is then used to empty the recycle bin.
• Next, a series of commands are executed in order to prevent the recovery of any encrypted data.
  • Deleting volume shadow copies.
  • Disabling Windows Error Recovery Service.
• Finally, the ransomware starts its encryption process (Both AES & RSA algorithms are used to lock down data).

Impact

• Downtime in Business Critical operations.
• Permanent loss of Sensitive/Confidential data.
• Operational and financial loss to the Business/Individual.

Recommended Actions

• Take system back-ups on regular intervals.
• Disabling remote services to limit the attack surface.
• Disabling task automation framework like Windows PowerShell.
• Ensure that your devices are always up-to-date with the latest patches released.
• Make proper security configuration for Firewall/IDS/IPS/Endpoint Protection systems so that no holes are left barred.