For the second time since June 1, the handlers of CryptXXX ransomware have changed their ransom note and Tor payment site. More importantly to those developing detection signatures and administrators, this update no longer makes changes to the file extensions of encrypted files.
“To make it more difficult for administrators, this release no longer uses special extensions for encrypted files,” said researcher Lawrence Abrams on the BleepingComputer website. “Now an encrypted file will retain the same filename that it had before it was encrypted.”
Researcher and SANS Internet Storm Center handler Brad Duncan found the latest update to CryptXXX, in particular to post-infection activity. Duncan found the changes on a Windows machine compromised by the Neutrino Exploit Kit involved in the pseudo-Darkleech campaign.
The new payment instructions, for example, point to a new .onion website on the Tor network, and the payment site is called Microsoft Decryptor. On June 1, the previous update was pointing to a site called Ultra Decryptor.
“This version does not include a method of contacting the ransomware devs if a victim has payment problems,” Abrams said.
Duncan, meanwhile, posted an analysis of traffic from the Neutrino Exploit Kit involved in a recent infection coming from 198[.]71[.]54[.]211. He said the traffic made use of domain shadowing used in other Neutrino EK campaigns, as well as Angler, which has been off the radar since for a couple of months following the arrests of Russian hackers behind the Lurk malware.
“Post-infection traffic was over 91[.]220[.]131[.]147 on TCP port 443 using custom encoding, a method CryptXXX has used since it first appeared earlier this year,” Duncan said, adding that text and HTML versions of the decryption instructions are downloaded in plaintext during post-infection traffic. Abrams said the ransom notes in the updated version of CryptXXX are called README.html, README.bmp, and README.txt.
CryptXXX is the current king of the ransomware hill and signaled the downfall of the Angler Exploit Kit in early June when researchers noted that it had switched distribution channels to Neutrino. It has already undergone numerous updates to its encryption capabilities, as well as its ability to encrypt local and attached storage, backups and steal credentials.
A number of large campaigns have been spreading CryptXXX, most notably of late pseudo-Darkleech, which has spread a number of ransomware families since it appeared in March 2015.
As recently as last week, pseudo-Darkleech made a change to its script, eliminating large blocks of numbers, up to 15,000 characters, that helped obfuscate code. The chunk of characters also made these campaigns easier to spot for researchers and detection software. Duncan said last Friday at the code had suddenly disappeared and that the start of the injected code in the script had changed dramatically. Now the attackers are using an iframe-based attack with very little obfuscation, surely throwing off signature-based detection systems.
Ransomware continues to be a worrisome threat to consumer and enterprise computers. The FBI warned in late April of the threat and urged organizations to be vigilant about patching browsers, operating systems and third-party applications. They also discourage victims from paying ransoms, reasoning that it’s no guarantee that files will be recovered and that it only serves to encourage other criminals to go this route.
In the meantime, technology companies such as Kaspersky Lab, Cisco and others have developed decryptors for certain ransomware, including older versions of CryptXXX.