The SonicWall Capture Labs threat research team has identified continued activity from the Russian cybercriminal group CryptoBytes, which has been active since at least 2023.
This financially motivated group is leveraging a ransomware strain named UxCryptor, which has gained notoriety for its reliance on leaked ransomware builders.
These tools lower the technical barrier for malware operators, enabling even less-skilled actors to deploy sophisticated attacks.
UxCryptor is designed to encrypt files on victim systems and demand cryptocurrency payments for decryption, following the typical ransomware playbook.
Since its emergence, UxCryptor has been used in conjunction with other malware, such as Remote Access Trojans (RATs) and information stealers, to maximize the impact of attacks.
The malware saw its peak activity in 2024 but remains active in 2025.
The SonicWall team’s analysis of an early version of UxCryptor reveals its advanced anti-analysis techniques and disruptive capabilities, even though no file encryption was observed during this specific study.
Infection Cycle and Technical Details
Upon execution, UxCryptor displays a series of ransom screens in quick succession, including a ransom note written in Russian.
The malware also generates an additional ransom note saved to the victim’s system at %USERPROFILE%\AppData\Local\Temp\$unlocker_id.ux-cryptobytes.
The note demands payment in cryptocurrency and provides instructions for victims to regain access to their encrypted files.
The malware is written in .NET and employs several anti-analysis methods to evade detection.
It attempts to terminate processes such as explorer.exe and checks for sandbox environments like Sandboxie, Avast, and Qihoo360.
Additionally, it includes virtual machine detection mechanisms targeting VMware and VirtualBox environments.
To further disrupt system functionality, UxCryptor kills applications such as Discord, Skype, Zoom, and web browsers if they are running during the infection process.
It also prevents various Windows system applications from starting up after login by deleting their associated registry keys.
Despite these capabilities, the analyzed version of UxCryptor did not encrypt files during testing.
However, the encryption functionality is present in the codebase, indicating that future or alternate versions could execute full-scale ransomware attacks.
Mitigation and Protection
SonicWall provides protection against UxCryptor through multiple layers of security solutions.
The threat is detected by the signature GAV: UXCryptor.RSM (Trojan) and is mitigated by SonicWall Capture ATP with Real-Time Deep Memory Inspection (RTDMI) as well as Capture Client endpoint protection solutions.
Organizations are advised to maintain updated security systems and implement robust endpoint detection measures to guard against such threats.
CryptoBytes’ use of leaked ransomware builders highlights a concerning trend in cybercrime: the democratization of advanced attack tools that make it easier for less-skilled actors to launch damaging campaigns.
As this threat evolves, proactive threat intelligence and layered defenses remain critical for mitigating risks posed by ransomware like UxCryptor.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting –Â Register Here
