Ransomware Research

VXUG Ransomware

VXUG is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on November 1, 2023, this ransomware has been actively targeting systems worldwide. Security researchers also track this malware under the aliases: Vx-underground.

Quick Facts

Ransomware Family
VXUG
First Seen
November 1, 2023
Known Aliases
Vx-underground

How VXUG Ransomware Works

Targeted Files

Full extension -> .id[C63F241F-6666].[staff@vx-underground.org].VXUG

File Encryption Patterns

VXUG modifies encrypted files using specific patterns to mark them as encrypted:

File extensions added after encryption:

..VXUG

Ransom Note and Payment Demands

After encrypting files, VXUG displays ransom notes demanding payment for file recovery:

fileBuy Black Mass Volume II.hta

Ransom message:

notes/Buy Black Mass Volume II.hta

Note locations:

RootDiscsDesktop
fileBuy Black Mass Volume I.txt

Ransom message:

notes/Buy Black Mass Volume I.txt

Note locations:

RootDiscsDesktop
filehow_to_decrypt.hta

Ransom message:

notes/how_to_decrypt.hta

Note locations:

EveryFolder

Technical Indicators

Associated Executable Files

The following executable files are associated with VXUG ransomware:

  • AntiRecuvaAndDB.exe

Elastio Can Help You

Don't let VXUG ransomware take over your data

Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.

About This Analysis

This VXUG ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like VXUG.

Last updated: July 30, 2025