CryptXXX ransomware steals bitcoins and data from infected PCs

Ransomware asks for $500, and steadily increases its demands over time.

Cryptxxx bitcoin stealing

Researchers have come across some new ransomware that aside from encrypting files, steals bitcoins and other data from infected PCs.

The research team at Proofpoint explains in a blog post that it first detected the ransomware, named CryptXXX, last week.

The researchers noted that they found malicious websites hosting the Angler exploit kit which loaded up Bedep, a type of malware that has the ability to download other types of malware. Bedep ultimately settled on two payloads: CryptXXX and Dridex 222.

Ransomware infection process

Further investigation into the infection process reveals that CryptXXX is being shipped as a Dynamic-Link Library (DLL) dropped by Bedep. The start of that DLL is delayed sometimes for more than an hour, which might be an attempt to conceal the identity of the malicious website or other infection vector linked to Angler.

For additional protection against analysis by researchers, the ransomware checks CPU name in the registry and installs a hook procedure to monitor for mouse events.

Once it has fully installed itself on a victim's machine, the ransomware appends the .CRYPT extension to each infected file. It then displays a ransom message and asks for US $500 in payment. That demand will double in value if the victim neglects to pay the fee within a few days of infection.

Ransomware message

Encryption is not the only trick CryptXXX has up its sleeve, notes Proofpoint:

"This ransomware is not only encrypting files locally and on all mounted drives; it’s stealing Bitcoins and a large range of other data. We were expecting this because that instance of Bedep has a long history of dropping information stealers in its update stream. Specifically, it dropped Pony from November 2014 until mid-December 2015. It replaced Pony with an undocumented 'private stealer' until mid-March 2016. We believe that the information stealing functions in this ransomware are the same as in the 'private stealer' distributed by this instance of Bedep."

That's just the beginning of the ransomware's affiliations. The security firm's research team also has reason to believe CryptXXX was developed by the team behind Bedep and Angler. (The real name for Angler is "XXX," after all.)

The fact that CryptXXX shares a delayed start time and Bitcoin-/credential-stealing functions with Reveton, another ransomware variant developed by the Bedep/Angler team, seems to only confirm that linkage.

Cryptxxx countdown

Those types of connections hint at a bright future for CryptXXX.

"Given Reveton's long history of successful and large-scale malware distribution, we expect CryptXXX to become widespread. While we have observed many new ransomware instances in recent months, many have been written and/or distributed by less experienced actors and have not gained significant traction. Those associated with more experienced actors, however, (such as Locky) have become widespread quickly. Based on the large number of translations available for the payment page, it appears that the Reveton team shares those expectations."

To push out CryptXXX and other baddies, Angler relies on systems that contain unpatched software vulnerabilities. Staying on top of security fixes will help users block Angler's exploitation attempts, as will maintaining an up-to-date anti-virus solution on their computers.

Tags: , , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, , , , ,

2 Responses

  1. Robert Williams

    April 23, 2016 at 2:11 am #

    I am unfortunately familiar with the ransomware as my company got hit back in Sept. '15. We ended up paying the ransom and received a working key that allowed decryption of all files. Has anyone paid this new ransom and received a working key?

  2. alex

    May 20, 2016 at 1:22 pm #

    can you share the master key?

Leave a Reply