Researchers at Proofpoint, who first discovered CryptXXX a few weeks ago, have detected a new variant running in the wild on May 10, which defeats the previously released decryption tool offered by Kaspersky.
In addition to encrypting files on the victim's computer and network shares, the CryptXXX family of Ransomware also acts like a data stealing Trojan, hijacking saved login credentials stored in the browser, email client, and IM application. If the victim has a Bitcoin wallet, CryptXXX will steal those too, and then immediately demand $500 Bitcoin to reverse the encryption.
As it turns out, Kaspersky Lab managed to defeat the malware, and quickly added CryptXXX support to their Rannoh Decryptor tool. If successful, Kaspersky's efforts would help restore the victim's computer to a pre-infected state.
However, shortly after that tool became public, the authors of CryptXXX released a new version of the Ransomware, one that defeats Kaspersky's offering and applies some cosmetic enhancements.In addition to countering Kaspersky's tool, version 2.006 of CryptXXX locks the screen and renders the infected unusable.
"We first thought that the new lock screen was a quick and dirty way to make it more difficult for the victim to use the Kaspersky decryption tool . But upon further inspection, we found that the authors discovered a way to bypass the latest version of the decryption tool," Proofpoint explained. Exactly how CryptXXX is defeating Kaspersky isn't clear, but Proofpoint speculates that it has something to do with how zlib 1.2.2 is being embedded.
Proofpoint says that CryptXXX is rapidly emerging as one of the top ransomware families in the wild, especially among actors working primarily via exploit kits. "With the introduction of version 2.006, CryptXXX authors have, for now, rendered the existing free decryption tool ineffective. While new decryption tools may emerge, CryptXXX's active development and rapid evolution suggest that this new ransomware will continue to compete strongly in malware ecosystems."