The SonicWall Capture Labs threat research team has identified ongoing activity from the Russian cybercriminal group CryptoBytes, which continues to deploy its ransomware strain, UxCryptor.
This financially motivated group has been active since at least 2023 and is known for utilizing leaked ransomware builders to create and distribute malware.
These tools lower the technical barrier for less skilled operators, enabling widespread attacks.
Threat Overview
UxCryptor is part of a broader trend in ransomware families leveraging leaked builders.
The malware is often delivered alongside other malicious software, such as Remote Access Trojans (RATs) and information stealers, to amplify the impact of an attack.
Once executed, UxCryptor encrypts files on the victim’s system and demands cryptocurrency payments for decryption.
Although the sample analyzed by SonicWall appears to be an early version, the malware remains active in the wild, with its peak activity observed in 2024.
Infection Cycle and Anti-Analysis Techniques
Upon execution, UxCryptor displays a series of ransom screens containing messages in Russian.
An additional ransom note is created in the directory %USERPROFILE%\AppData\Local\Temp\$unlocker_id.ux-cryptobytes, further detailing payment instructions.
The ransomware is written in .NET and employs multiple anti-analysis techniques to evade detection.
UxCryptor begins by terminating critical processes such as explorer.exe and checks for sandbox environments like Sandboxie, Avast, and Qihoo360.
It also includes mechanisms to detect virtualized environments such as VMware and VirtualBox.
If these environments are identified, the malware halts its operations to avoid analysis.
Additionally, UxCryptor targets commonly used applications like Discord, Skype, Zoom, and web browsers by forcibly shutting them down if they are running during execution.
To further disrupt system functionality, it deletes registry keys associated with essential Windows startup applications, preventing them from launching after a system reboot.
While no files were encrypted during SonicWall’s analysis of this early version of UxCryptor, the encryption functionality is present within the codebase.
The malware’s ability to disable key system processes and applications highlights its potential for significant disruption.
SonicWall provides protection against this threat through its signature GAV: UXCryptor.RSM (Trojan), as well as through advanced solutions like Capture ATP with Real-Time Deep Memory Inspection (RTDMI) and Capture Client endpoint security.
The persistence of CryptoBytes underscores the importance of robust security measures for organizations worldwide.
Businesses are advised to maintain updated security solutions, monitor for suspicious activity, and implement best practices for ransomware prevention to mitigate risks associated with evolving threats like UxCryptor.
