A new “Pxj” ransomware. Also known as the “XVFXGW” ransomware, it performs functions common to most ransomware. First, the Recycle Bin is emptied using the SHEmptyRecycleBinW function. Next, a series of commands are executed to prevent recovery of data after encryption, specifically the deletion of volume shadow copies and disabling of the Windows Error Recovery service. These are the commands executed by the ransomware.
After these tasks are complete, the encryption process begins. AES and RSA are used in combination for encryption. The name “Pxj” is derived from the extension that is appended to encrypted files. The alternative name, “XVFXGW,” is based off of both the mutex that is created, “XVFXGW DOUBLE SET,” and the email addresses listed in the ransom note, “email@example.com” and “firstname.lastname@example.org”. With encryption complete, the ransom note is dropped as a file named “LOOK.txt” and requests the user contact the operator via email to pay the ransom in exchange for the decryption key.