CryptXXX ransomware steals bitcoins and data from infected PCs

Ransomware asks for $500, and steadily increases its demands over time.

David bisson
David Bisson

Cryptxxx bitcoin stealing

Researchers have come across some new ransomware that aside from encrypting files, steals bitcoins and other data from infected PCs.

The research team at Proofpoint explains in a blog post that it first detected the ransomware, named CryptXXX, last week.

The researchers noted that they found malicious websites hosting the Angler exploit kit which loaded up Bedep, a type of malware that has the ability to download other types of malware. Bedep ultimately settled on two payloads: CryptXXX and Dridex 222.

Sign up to our free newsletter.
Security news, advice, and tips.

Ransomware infection process

Further investigation into the infection process reveals that CryptXXX is being shipped as a Dynamic-Link Library (DLL) dropped by Bedep. The start of that DLL is delayed sometimes for more than an hour, which might be an attempt to conceal the identity of the malicious website or other infection vector linked to Angler.

For additional protection against analysis by researchers, the ransomware checks CPU name in the registry and installs a hook procedure to monitor for mouse events.

Once it has fully installed itself on a victim’s machine, the ransomware appends the .CRYPT extension to each infected file. It then displays a ransom message and asks for US $500 in payment. That demand will double in value if the victim neglects to pay the fee within a few days of infection.

Ransomware message

Encryption is not the only trick CryptXXX has up its sleeve, notes Proofpoint:

“This ransomware is not only encrypting files locally and on all mounted drives; it’s stealing Bitcoins and a large range of other data. We were expecting this because that instance of Bedep has a long history of dropping information stealers in its update stream. Specifically, it dropped Pony from November 2014 until mid-December 2015. It replaced Pony with an undocumented ‘private stealer’ until mid-March 2016. We believe that the information stealing functions in this ransomware are the same as in the ‘private stealer’ distributed by this instance of Bedep.”

That’s just the beginning of the ransomware’s affiliations. The security firm’s research team also has reason to believe CryptXXX was developed by the team behind Bedep and Angler. (The real name for Angler is “XXX,” after all.)

The fact that CryptXXX shares a delayed start time and Bitcoin-/credential-stealing functions with Reveton, another ransomware variant developed by the Bedep/Angler team, seems to only confirm that linkage.

Cryptxxx countdown

Those types of connections hint at a bright future for CryptXXX.

“Given Reveton’s long history of successful and large-scale malware distribution, we expect CryptXXX to become widespread. While we have observed many new ransomware instances in recent months, many have been written and/or distributed by less experienced actors and have not gained significant traction. Those associated with more experienced actors, however, (such as Locky) have become widespread quickly. Based on the large number of translations available for the payment page, it appears that the Reveton team shares those expectations.”

To push out CryptXXX and other baddies, Angler relies on systems that contain unpatched software vulnerabilities. Staying on top of security fixes will help users block Angler’s exploitation attempts, as will maintaining an up-to-date anti-virus solution on their computers.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

2 comments on “CryptXXX ransomware steals bitcoins and data from infected PCs”

  1. Robert Williams

    I am unfortunately familiar with the ransomware as my company got hit back in Sept. '15. We ended up paying the ransom and received a working key that allowed decryption of all files. Has anyone paid this new ransom and received a working key?

  2. alex

    can you share the master key?

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.