Pierluigi Paganini
June 28, 2016
Security experts from security firm SentinelOne have analyzed the activity related to CryptXXX ransomware’s operators. They discovered that the gang made around $49,700 from the payment of ransoms between June 4 and June 21, 2016, the money were all collected through the same Bitcoin. The experts counted 61 payments for a total amount of 70 Bitcoin (roughly $35,000) from 61 payments.
The experts believe that the payments are related to CryptXXX ransoms, it wasn’t used before June 4, a circumstance that suggests that it might have been used for a specific ransomware campaign.
“A new version of the CryptXXX family of ransomware has been discovered which is spreading through spam and perhaps other means. This latest iteration fixes flaws in its file encryption methods which prevents use of free decryption tools and makes it impossible to decrypt files without paying the ransom.” states the report from SentinelOne.
“CryptXXX is an actively developed ransomware family. At the time of writing, this particular variant has led to the ransom payment of about $50,000 worth of Bitcoin. With this kind of success, it’s likely we’ll continue to see this family and other ransomware families continue to grow and evolve.”
CryptXXX ransomware was first spotted a couple of months ago, experts believe it allowed criminal organizations to earn a lot money.
The experts noted an intense activity involving the malware that was spread in campaigns leveraging on Angler, Neutrino, and Magnitude exploit kits.
Since April, CryptXXX has rapidly evolved, according to SentinelOne this last campaign involved a variant that fixed security flaws that allowed decrypting locked files without paying the ransom.
In May, experts at Kaspersky Lab have updated their decryption tool to adapt to the second version of the CryptXXX ransomware in the RannohDecryptor 1.9.1.0.
The last variant analyzed by SentinelOne was delivered as a malicious DLL that pretend to appear as a legitimate DLL from the CyberLink PowerDVD Cinema application.
“A quick check of the malicious DLL’s properties reveals it’s using what appears to be the details of a legitimate DLL named _BigBang.dll from a product called CyberLink PowerDVD Cinema. After hunting down a legitimate copy of _BigBang.dll, though of a slightly older version, it’s clear that the details have been copied exactly.” states the report.
The CryptXXX variant analyzed by the experts is also able to perform further operations to avoid analysis.
The victim’s files are encrypted using a combination of RSA and RC4 algorithms and their extension is .cryp1 instead the .crypz used in the previous version of CryptXXX.
“Ransom notes are created in each folder where a file is encrypted. One is in text and the other is in HTML. The text ransom note contains the following” continues the report.
Experts have no doubts, the CryptXXX will continue to threaten users worldwide.
[adrotate banner=”9″]
(Security Affairs – CryptXXX, ransomware)
