Russian CryptoBytes Hackers Exploiting Windows Machines To Deploy UxCryptor Ransomware

The Russian cybercriminal group CryptoBytes has intensified its ransomware campaigns using a modified version of the UxCryptor malware, according to new findings from SonicWall’s Capture Labs threat research team.

This financially motivated group, active since at least 2023, leverages leaked ransomware builders to target Windows systems globally.

Recent attacks showcase advanced anti-analysis techniques designed to evade detection. These methods make it difficult for security researchers to track and analyze the malware.

In addition to technical measures, researchers at SonicWall noted that the attackers use psychological pressure tactics to intimidate victims and pressure them into making cryptocurrency payments, increasing the effectiveness of their extortion schemes.

UxCryptor’s Modus Operandi

The UxCryptor ransomware employs a multi-stage attack sequence beginning with three consecutive ransom screens written in Russia.

A translated version demands payment through Telegram (@yes_u_are_hacked), while leaving a persistent ransom note at %USERPROFILE%\AppData\Local\Templ\$unlocker_id.ux-cryptobytes.

The .NET-based malware initiates its destructive routine by terminating Windows Explorer through a forced taskkill command:

public void KillExplorer() {
    try {
        Interaction.Shell("taskkill.exe /im Explorer.exe /f", (AppWinStyle)0, false, -1);
    }
}  

This cripples the user interface while the malware executes background processes.

Advanced evasion techniques include comprehensive environment checks using:-

1. Sandbox Detection through DLL fingerprinting:

string[] array = new string[5] { "SbieDll.dll", "SxIn.dll", "Sf2.dll", "snxhk.dll", "cmdvrt32.dll" };  

2. Virtual Machine Detection via WMI queries comparing manufacturer and model strings against known virtualization platforms.

The malware systematically terminates critical applications including Discord, Skype, Zoom, and web browsers to prevent victim communication (Figure 2). Persistent disruption is achieved through registry manipulation:-

RegistryKey[] array = new RegistryKey[4] {
    // Run, RunOnce, Winlogon, and RunMRU registry keys
};
array[0].DeleteValue("WindowsInstaller");
array[1].DeleteValue("System3264Wow");  

This prevents standard recovery methods and automatic startup of system utilities.

While the analyzed sample contained non-functional encryption routines, operational versions use AES-256-CBC encryption with hardcoded keys:

byte[] key = new byte[32] { 82, 102, 104, 110, 32, 77, 24, 34, 118, 181, 51, 17, 18, 51, 12, 109, ... };
byte[] iV = smethod_7(Encoding.Unicode.GetBytes(string_1));  

Files are encrypted using SymmetricAlgorithm.CreateEncryptor() and marked with a .ux-cryptobytes extension.

SonicWall’s Capture ATP with RTDMI and Capture Client solutions currently block UxCryptor variants through behavioral analysis signatures. Security teams recommend immediate patching of Windows systems and network segmentation to contain potential outbreaks.

As of February 2025, CryptoBytes continues refining UxCryptor’s capabilities, with SonicWall observing increased attack frequency against SMBs in Eastern Europe. The group’s use of leaked ransomware tools lowers the technical barrier for entry, suggesting potential franchise-style operations.

Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting – Register Here