Back to overview

Threat intelligence

Russian Threat Group CryptoBytes is Still Active in the Wild with UxCryptor

by Security News

The SonicWall Capture Labs threat research team has recently been analyzing malware from the CryptoBytes hacker group. UxCryptor is a ransomware strain associated with the CryptoBytes group, a financially motivated Russian cybercriminal organization. It has been active since at least 2023. The group is known for leveraging leaked ransomware builders to create and distribute their malware.

UxCryptor is part of a broader trend of ransomware families that use leaked builders, making it accessible to less technically skilled malware operators. It is often delivered alongside other malware types, such as Remote Access Trojans (RATs) or information stealers, to maximize the impact of an attack. The malware is designed to encrypt files on the victim's system, demanding payment in cryptocurrency for decryption.

UxCryptor has seen consistent activity since its emergence, with its usage peaking in 2024.  Although the sample analyzed here appears to be an early version, it is still active in the wild.

Infection Cycle

Upon execution of the malware, the following three screens are displayed in quick succession:

1.png
Figure 1: Ransom screen 1

2.png
Figure 2: Ransom screen 2

A ransom note in Russian is displayed:

3.png
Figure 3: Ransom screen 3

4.png
Figure 4: Ransom screen translated

An additional ransom note is written to %USERPROFILE%\AppData\Local\Temp\$unlocker_id.ux-cryptobytes. It contains the following message:

5.png
Figure 5: Ransom note

The malware is written in .NET.  Decompiling the code reveals a variety of anti-analysis methods.

It first attempts to kill explorer.exe:

6.png
Figure 6: Killing explorer.exe

It checks to see if it is running in Sandboxes such as Sandboxie, Avast and Qihoo360:

7.png
Figure 7: Sandbox detection

The code contains VMWare and VirtualBox VM detection:

8.png
Figure 8: VM detection

Various programs such as Discord, Skype, Zoom and any browsers are killed if they are found to be running:

9.png
Figure 9: App killing

Various Windows system applications are prevented from starting up after login by deleting their corresponding registry keys:

10.png
Figure 10: Startup prevention

In this early version of the software, no files were actually encrypted during our analysis. However, the functionality is present:

11.png

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: UXCryptor.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Share This Article

An Article By

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.

Related Articles

  • Microsoft Security Bulletin Coverage for February 2025
    Read More
  • GCleaner is Packed and Ready to Go
    Read More