6330 E. 75th Street, Suite 336Indianapolis, Indiana 46250
(800) 746-4356(317) 251-7920

New Ransomware Variant Defeats Decryption Tool

CryptXXX shrugs off Kasperksy's "fix"

  • 11 May 2016
  • Author: SIM2K
  • Number of views: 3807

Researchers at Proofpoint, who first discovered CryptXXX a few weeks ago, have detected a new variant running in the wild on May 10, which defeats the previously released decryption tool offered by Kaspersky.  

In addition to encrypting files on the victim's computer and network shares, the CryptXXX family of Ransomware also acts like a data stealing Trojan, hijacking saved login credentials stored in the browser, email client, and IM application. If the victim has a Bitcoin wallet, CryptXXX will steal those too, and then immediately demand $500 Bitcoin to reverse the encryption.

In April, U.S. toy maker Maisto had their website infected with malicious JavaScript, which delivered unsuspecting visitors to a landing page managed by the Angler Exploit Kit, in order to deliver version 1.x of CryptXXX. 

As it turns out, Kaspersky Lab managed to defeat the malware, and quickly added CryptXXX support to their Rannoh Decryptor tool. If successful, Kaspersky's efforts would help restore the victim's computer to a pre-infected state.

However, shortly after that tool became public, the authors of CryptXXX released a new version of the Ransomware, one that defeats Kaspersky's offering and applies some cosmetic enhancements.In addition to countering Kaspersky's tool, version 2.006 of CryptXXX locks the screen and renders the infected unusable.

"We first thought that the new lock screen was a quick and dirty way to make it more difficult for the victim to use the Kaspersky decryption tool [4]. But upon further inspection, we found that the authors discovered a way to bypass the latest version of the decryption tool," Proofpoint explained.  Exactly how CryptXXX is defeating Kaspersky isn't clear, but Proofpoint speculates that it has something to do with how zlib 1.2.2 is being embedded. 

Proofpoint says that CryptXXX is rapidly emerging as one of the top ransomware families in the wild, especially among actors working primarily via exploit kits. "With the introduction of version 2.006, CryptXXX authors have, for now, rendered the existing free decryption tool ineffective. While new decryption tools may emerge, CryptXXX's active development and rapid evolution suggest that this new ransomware will continue to compete strongly in malware ecosystems." 

Categories: Important News
Rate this article:
No rating

Please login or register to post comments.

Our Happy Customers

"As a small business, we do not have our own internal IT department. SIM2K® Block Hours offer us a way to get more of the support we need at a lower cost."
-A central Indiana wealth management company

"We've found SIM2K to be an instrumental force in shaping our IT future. Thanks to their SIM2K Block Hours, we've found an effective way to pay for our IT needs as they arise."
-A central Indiana auto auction

"SIM2K has been there for us over the years. They've helped us setup remote access systems, advised us in our continued growth and even helped us restore our patient management software."
-Top rated Indiana surgeon's office

"We were hit by a nasty Internet worm right in the middle of tax season that disabled our server. SIM2K was able to come in and in hours we were back up and running. Their responsive and competent help saved us a lot of time, pain and money."
- A central Indiana accounting firm

"BDA has been utilizing SIM2K consulting services for several years now. We are very pleased with SIM2K's focus on customer service and recently decided to become a SIM2K® Pinnacle customer. We IMMEDIATELY realized the cost benefit to our company! SIM2K Pinnacle has proven to be a great asset to our company..."
- Bill Dunbar and Associates, LLC