A new variant of the CryptXXX ransomware has been found, and it includes a handful of new capabilities, such as function that prevents the use of free decryption tools.
The CryptXXX family of ransomware may not be as well known as strains like TeslaCrypt or CryptoLocker, but it is having some success of its own. The new variant discovered by researchers at SentinelOne already has made the attackers more than $50,000, and it has fixed a problem with its encryption protocol that allowed third-party decryption tools to work on infected machines.
“The victim’s files are encrypted using a combination of RSA and RC4. The encrypted versions of the files have a file extension of
.cryp1. The previous version of CryptXXX used
.crypz and the version before that used
.crypt. Also, previous versions had a flaw in how they implemented the encryption which allowed certain tools to decrypt the files without having to pay the ransom. However, this version does not have this flaw,” the SentinelOne analysis says.
CryptXXX, like most other ransomware variants, is being spread through spam messages with malicious attachments. Once it’s installed, there are a couple of layers of packers that eventually execute the ransomware payload itself. The payload encrypts the victim’s files and then displays a screen instructing the victim to download the Tor browser and go to a specific .onion address for further instructions. The ransom demanded by CryptXXX is typically between 1.2-2.4 Bitcoins, SetinelOne said.
“The total amount in USD paid can be calculated by averaging the Bitcoin price over the the past two weeks to be around $500 USD (most transactions happened before rally of Bitcoin to >$700). The total ransom paid comes out to be about $35,000 (500 * 70). At current Bitcoin prices, the ransom paid thus far is worth ~$49,700 at $710 USD per 1 XBT,” the analysis says.
“While the consistent transaction amounts would suggest that all transactions to this address are for CryptXXX malware, it’s impossible to be certain. Also, multiple addresses may be used for this malware family. Since this address didn’t have any activity until 6/4/2016, it’s likely that one new address is being used per version or campaign.”