New CryptXXX ransomware variant made authors $50K in two weeks

But there’s a decryption tool, right? Yeah about that…

David bisson
David Bisson

New CryptXXX ransomware variant made authors $50K in two weeks

Researchers have spotted a new variant of CryptXXX ransomware that made its authors close to US $50,000 in a little more than two weeks.

Originally detected back in April, CryptXXX is now a familiar face in the world of crypto-ransomware. It is known for its ability to steal victims’ Bitcoins.

In late April, researchers developed a decryption tool for CryptXXX, which led the ransomware’s authors to update their creation so that the recovery utility was no longer effective. They also outfitted the malware with a lock screen that prevented users from completing a ransom payment on an infected machine.

Sign up to our free newsletter.
Security news, advice, and tips.

Security researchers responded by updating their decryption tool, which motivated the malware developers to update CryptXXX again – this time with a module capable of stealing victims’ passwords and other credentials.

Security 57

The fact that the ransomware is constantly being updated makes CryptXXX a perfect candidate for exploit kit campaigns, such as the Neutrino EK attack that recently affected a popular anime website.

The malware authors aren’t done with their updates, either.

A new variant of CryptXXX identified by researchers at endpoint security firm SentinelOne has made two notable changes. The first has to do with the ransomware’s encryption process.

SentinelOne explains:

“The victim’s files are encrypted using a combination of RSA and RC4. The encrypted versions of the files have a file extension of .cryp1. The previous version of CryptXXX used .crypz and the version before that used .crypt. Also, previous versions had a flaw in how they implemented the encryption which allowed certain tools to decrypt the files without having to pay the ransom. However, this version does not have this flaw.”

This newest variant also deletes shadow volume copies, which in the current absence of a working decryption tool means victims can’t recover their files without paying the ransom.

Payment page

The ramifications of these changes might help to explain why this newest variant of CryptXXX has proven to be so profitable.

Between June 4 and June 21, the CryptXXX variant’s Bitcoin address received over 70 Bitcoins (more than US $45,000) in ransom payments.

Over 61 transactions were logged to that address, with individual payments valued at either 1.2 Bitcoin (US $778) or 2.4 Bitcoin ($1,556).

Transaction history

SentinelOne feels that such a positive financial record bodes well for CryptXXX:

“With this kind of success, it’s likely we’ll continue to see this family and other ransomware families continue to grow and evolve. Some factors which may contribute to this are the increasing reliance on computers to store and process valuable information and the increasing popularity of Bitcoin which is semi-anonymous, works globally, and is difficult to regulate because it’s completely decentralized.”

To protect against CryptXXX, users should never click on suspicious links or email attachments, maintain an up-to-date anti-virus solution on their machines, and implement software and browser updates as soon as they become available.

Also, remember to back up your files regularly. Criminals want to leave users with no choice aside from paying for a decryption key once their files are encrypted. With file backups, we can restore our files for free in the event of an infection and deny miscreants their satisfaction.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.