In the ransomware world, it doesn’t take long for today’s darling to become yesterday’s news. Case in point: Locky.
That was in mid-February and late-March respectively. Now at the end of April, Locky has been shoved aside in a pair of potent campaigns in favor of CryptXXX.
Researchers at Palo Alto Networks on Thursday said attackers behind a campaign distributing Locky via the Nuclear Exploit Kit had two weeks ago switched to distributing CryptXXX using the feature-laden Angler Exploit Kit.
Researcher Brad Duncan said the current campaign that Palo Alto is calling Afraidgate—gate domains are being hosted at afraid[.]org—is the second major campaign pushing CryptXXX along with pseudo-Darkleech.
Both campaigns, Duncan said, use Angler to exploit vulnerable browser-related applications and deliver Bedep, a downloader that grabs CryptXXX and click-fraud malware.
CryptXXX is particularly nasty because it not only encrypts local files (encrypted files have a .crypt extension), but also those on all attached storage shortly after the initial infection. The malware also has other capabilities beyond encrypting local files. It copies files putting the victim at risk for identity theft and steals Bitcoins stored on the local hard drives.
“CryptXXX is gaining a wider distribution, because we’re now seeing it from another campaign,” Duncan said.
The key is the malware’s inclusion in campaigns backboned by the Angler Exploit Kit. Angler is updated much more frequently with new exploits, usually before other kits such as Nuclear, Duncan said. The use of Bedep is noteworthy because it is fileless malware and does not leave files on the victim’s hard drive. Instead it is injected into memory by shellcode in the exploit.
“Recent updates to Bedep make it harder to use virtual machines to investigate this malware,” Duncan wrote in a blog post yesterday. “Bedep acts differently if it detects a VM. It will not download CryptXXX, and post-infection click-fraud traffic is different than seen from a normal physical host.”
Fedor Sinitsyn, senior malware analyst at Kaspersky Lab, said the malware contained an undisclosed weakness in the malware’s crypto implementation that opened the door to the development of the decryptor. The decryptor was added to an existing ransomware utility that also recovers files lost to Rannoh, AutoIt, Fury, Crybola, and Cryaki.
In March 2015, researchers at Sucuri disclosed their findings on pseudo-Darkleech, which was exploiting not only WordPress sites but also Microsoft IIS servers. The attacks evolved fairly quickly, and by December of last year, the campaign was moving ransomware via exploit kits.
Palo Alto’s report from Thursday includes traffic samples from the gates and Angler infections, as well as post-infection Bedep and click-fraud traffic.
Locky, meanwhile, hasn’t disappeared completely. It’s still being distributed in spam campaigns where victims are enticed to enable macros in order to view an attached Word document. The lures are generally business related, either payment invoices or shipping notifications.