Researchers have neutralized the threat of the latest strain of the CryptXXX v.3 ransomware, releasing a decryption tool for unlocking files, and have added it to the RannohDecryptor, a free utility hosted by Kaspersky Lab’s No Ransom Project.
Previous decryption tools had been available for partial list of files locked up by CryptXXX v.3, but the latest goes a step further and recovers all files scrambled by the ransomware.
The utility deals a blow to cybercriminals behind this latest CryptXXX ransomware, considered one of the most active ransomware families in the wild today. Approximately one quarter of CryptXXX victims are based in the United States; with Russia, Germany and Japan among other top targeted geographic regions.
In April, researchers published a decryption tool for unscrambling files locked by an earlier version of CryptXXX. By June, cybercriminals had updated CryptXXX to outsmart those decryption tools and added a new credential-stealing module. At the time, Proofpoint researchers said CryptXXX authors were on track to rival Locky’s infection rates and distribution reach.
With the first version of CryptXXX, researchers were able to exploit a critical flaw in the encryption algorithm to create a decryption tool. With the CryptXXX v.2, ransomware authors updated the code, but still left flaws that Kaspersky Lab was able to leverage to create another updated decryption tool. With CyrptXXX v.3, the utility decrypts files locked by v.2 and v.3 of the ransomware.
According to Kaspersky Lab researchers, the CryptXXX malware is a DLL (dynamic-link library) written in Delphi and uses a variety of different encryption algorithms to attack files. Kaspersky Lab described three encryption methods the malware uses including RC4 with one key for all files, and two others that use RC4 and RSA to encrypt the content of files and the RC4 keys, or a combination of RC4 and RSA where RC4 is used to encrypt the content of files and RSA is used to encrypt some file contents and the RC4 keys.
CryptXXX v.3 locks files using the extensions .crypt, .cryp1 and .crypz.
In its analysis, researchers point out that unlike Locky ransomware, that is most often delivered via Dridex spam campaigns, CryptXXX relies on driving traffic to malicious URLs infected with exploit kits Angler and Neutrino.
As with earlier incarnations of the CryptXXX ransomware, v.3 also includes a module called stiller.dll that is downloaded to targeted PCs. The module is capable of stealing 130 different types of account credentials stored on the victim’s PC such as those used by e-mail clients, messenger programs and web browsers.
“After the files are encrypted and all the valuable data is transferred to the criminals, the Trojan displays a message to the victim demanding a ransom,” Kaspersky Lab researchers said.
It’s unclear how much money is demanded by criminals with this latest version of CryptXXX. In June, ransom payment analysis for CrpytXXX v.2 revealed the average payout for unlocking files was 1.3 bitcoin ($1,000).
Kaspersky Lab has previously released more than a dozen decryption keys for ransomware variants of CoinVault, TeslaCrypt, Wildfire and Crybola. A full list of available decryption utilities can be found at Kaspersky Lab’s No Ransom website.