Upgrades made to CryptXXX ransomware over the past couple of weeks have rendered a previously available decryption tool useless.
First detected by Proofpoint’s security researchers back in mid-April, CryptXXX is one of the newest ransomware variants to prey upon unsuspecting users.
The crypto-malware is currently being shipped as a Dynamic-Link Library (DLL) that is dropped by Bedep malware and the Angler exploit kit.
Once the infection cycle is complete, CryptXXX encrypts a number of different file types and appends the .CRYPT extension to each encrypted file. It then displays a ransom message that demands US $500 and warns the ransom fee will double in value if payment has not been received within a few days.
The ransomware has been observed in a number of attack campaigns since its initial discovery. Those include a malvertising infection affecting two TV stations, and an exploit kit attack campaign involving a popular toy maker’s website.
CryptXXX wasn’t perfect.
In just a few weeks, researchers at Kaspersky Lab had successfully discovered a bug in the ransomware’s encryption process, which they were able to exploit in their RannohDecryptor utility, allowing CryptXXX victims to decrypt their files for free.
For a time, it seemed that CryptXXX was dead in water.
But that was celebration was clearly premature.
According to researchers at Proofpoint, the ransomware is alive and well… and it’s being updated:
“CryptXXX is being actively maintained: we have seen it evolve multiple times since our initial discovery, but the changes did not appear significant enough to be mentioned. As expected, the number of actors spreading it has increased, making it one of the most commonly seen ransomware families. Globally, we have observed several primary threat actors transitioning from Teslacrypt/Locky to CryptXXX/Cerber in the driveby landscape in recent weeks. CryptXXX is most frequently dropped by Bedep after Angler infection, but we have seen it dropped directly by Angler as well.”
Now CryptXXX version 2.006 is circulating in the wild, and it’s sporting a number of upgrades.
The first is the use of a lock screen to make the infected computer unusable:
As a result, victims of this newest iteration of the crypto-malware must now use another computer to purchase Bitcoins and ultimately submit their ransom payment.
Infuriating, to be sure, but it pales in comparison to the second upgrade discovered by Proofpoint:
“We first thought that the new lock screen was a quick and dirty way to make it more difficult for the victim to use the Kaspersky decryption tool. But upon further inspection, we found that the authors discovered a way to bypass the latest version of the decryption tool.”
With no way for victims to unlock their files for free, CryptXXX has reclaimed its status as an undecryptable form of ransomware.
Users should therefore implement software and security patches as soon as they become available, maintain a regularly updated anti-malware solution on their machines, back up all critical data securely, and avoid clicking on suspicious links/email attachments.
In the meantime, researchers will without a doubt explore the possibilities for another decryption tool.