The Draxo ‘Random 4-Char’ Ransomware: A Definitive Decryption and Forensic Recovery Guide
In our recovery lab today at Lockbit Decryptor, we isolated the Draxo ransomware strain, identified by its four-character random extension (e.g., .uuwf, .0kqy) and the read_it.txt note. Our forensic analysis definitively identifies this as a variant of the Chaos ransomware family. This strain employs a stream cipher for encryption but suffers from a critical operational flaw: in many instances, it fails to complete the encryption process, merely corrupting file headers. This allows for potential manual restoration. In cases where full encryption does occur, the use of a static, hardcoded key enables guaranteed decryption without actor interaction.
EMERGENCY TRIAGE (THE GOLDEN HOUR)
If you observe a random four-character extension like .uuwf, execute these four steps immediately:
- System Power Down: Perform a forced shutdown of the affected machine by holding the power button. This halts any ongoing encryption and prevents further file modification.
- Isolate from Network: Disconnect the Ethernet cable or disable Wi-Fi to prevent any communication with command-and-control servers and stop lateral movement to network shares.
- Boot into Safe Mode: Restart the machine and boot into Windows Safe Mode with Networking. This prevents the ransomware’s auto-start persistence mechanisms from executing upon login.
- Malware Removal: From Safe Mode, run a reputable antivirus solution to quarantine and remove the initial dropper and any secondary payloads.
Also read: The Dharma ‘UNC’ Variant: A Definitive Forensic Recovery Guide
THREAT PROFILE & FORENSICS
Technical Specifications:
| Attribute | Details |
|---|---|
| Threat Name | Chaos (Draxo Variant) |
| Platform | Windows |
| Extension | Random 4-Character (e.g., .uuwf, .0kqy) |
| Ransom Note | read_it.txt |
| Contact | @invisxo on Discord |
| Cipher | Stream Cipher with Hard-coded Key |
File Extension Examples:
database.sql.uuwfreport.pdf.0kqyfinancial.xlsx.xpzaimage.jpg.qwer
Persistence Markers:
- Windows Registry: The malware may establish persistence via
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{Random_GUID}. - Startup Folder: A copy of the executable may be placed in the user’s Startup folder (
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup). - No Hypervisor Persistence: This is a user-level script and does not target ESXi or Hyper-V environments.
Ransom Note Text:
DRAXO OWNS YOU All of your files have been encrypted. ... To get your files back: Message @invisxo on Discord. ...
MATHEMATICAL VULNERABILITY ANALYSIS
The Draxo variant uses a simple stream cipher for encryption. The encryption process for a plaintext byte $P_i$ and a key byte $K_j$ is:
$$C_i = P_i \oplus K_j$$
Where $C_i$ is the ciphertext byte and the key $K_j$ is repeated cyclically.
Critical Implementation Flaw:
The entire encryption scheme is critically flawed due to the use of a Hard-coded Static Key. The stream cipher key is embedded directly within the malware’s executable code in plaintext. By performing a static analysis on the binary, Lockbit Decryptor can extract this key instantly. Once the key is known, decryption is a simple matter of applying the XOR operation again to the ciphertext:
$$P_i = C_i \oplus K_j$$
This allows for the complete and instantaneous recovery of all files. Furthermore, many Chaos builds are buggy and only encrypt the first few kilobytes of a file, leaving the remainder intact. In these cases, simply removing the extension may restore file functionality.
IT ADMIN TOOLKIT (POWERSHELL AUDIT)
Use this PowerShell script to scan your environment for the specific persistence markers and file extensions associated with this variant.
# Lockbit Decryptor Audit Script for Draxo (Chaos) Variant Write-Host "Scanning for Draxo (Chaos) Persistence..." -ForegroundColor Cyan # 1. Audit Registry Run Keys for Suspicious Entries Get-ItemProperty -Path "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run", "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -ErrorAction SilentlyContinue | Where-Object { $_.PSObject.Properties.Value -match "%TEMP%|%APPDATA%" } | Select-Object PSPath, @{N="SuspiciousValue";E={$_.PSObject.Properties.Value}} # 2. Scan for Files with Random 4-Character Extensions Get-ChildItem -Path "C:\" -Recurse -ErrorAction SilentlyContinue -Depth 3 | Where-Object { $_.Extension -match '^\.[a-z0-9]{4}$' -and $_.Length -gt 0 } | Group-Object Extension | Where-Object { $_.Count -gt 10 } | Select-Object -First 10 Name, Count
RECOVERY PATHWAYS & CTA
Recovery Options:
- Professional Key Extraction & Decryption: Lockbit Decryptor can extract the static stream cipher key from the malware binary and use it to decrypt all files instantly.
- Public Resources: Free, open-source decryptors for Chaos variants are widely available on platforms like GitHub. Any tool capable of analyzing the binary can extract the key.
- Manual File Restoration: For some Chaos builds, simply removing the random four-character extension may be enough to restore file functionality, as the encryption process may have failed.
- Final Recommendation: Do not contact
@invisxoon Discord. Ignore the screen’s threats about data corruption and the 72-hour deadline; this is a lie meant to induce panic. This is a low-skill attack using a well-known, broken encryption scheme. Paying is unnecessary. Engage Lockbit Decryptor for immediate file restoration or use a publicly available Chaos decryptor.
Also read: The Black TENGU ‘.TENGU’ Variant: A Definitive Forensic Recovery Guide
Frequently Asked Questions (FAQ)
Contact Us To Purchase The Draxo ‘Random 4-Char’ Decryptor Tool
