The new version of the CryptXXX ransomware is spreading primarily through spam, said Caleb Fenton, senior security researcher at SentinelOne, in a technical description of the find posted Monday.
CryptXXX has been a fast and moving target for researchers, considered by some to be “hot new kid on the block” when it comes to ransomware – even nipping at the heels of the notorious Locky ransomware when it comes to infection rates and distribution. In May cybercriminals released an updated CryptXXX 3.100 version of the ransomware that includes a new StillerX credential-stealing module that gives attackers additional capabilities to monetize an attack.
Now, SentinelOne reports, cybercriminals have updated CryptXXX again, tweaking the encryption engine further to prevent free un-specified decryption tools from working. According to a Kaspersky Lab support page, the RannohDecryptor utility worked on numerous updated versions of the CryptXXX ransomware. However in late May, with the 3.100 release of CryptXXX, the RannohDecryptor was no longer able to decrypt files from the 3.100 version of the ransomware, but is still effective for early versions of the ransomware.
This new CryptXXX variant, found by SentinelOne, also packs a new evasive tricks such as masking the ransomware payload inside a DLL that appears to be a legitimate DLL for the video editing software CyberLink PowerDVD Cinema. “A quick check of the malicious DLL’s properties reveals it’s using what appears to be the details of a legitimate DLL named _BigBang.dll,” Fenton wrote.
Upon closer inspection, however, Fenton notes that while the _BigBang.dll shares the exact same DLL properties the code cleverly masks the ransomware payload. “The unpacking happens by allocating memory for the encrypted payload with VirtualAlloc and then copying over the encrypted bytes,” Fenton reports. He notes, even when the DLL is unpacked its contents still “look mostly benign,” Fenton said.
Looking a little harder, Fenton noted there were telltale signs of ransomware that raised researcher eyebrows. “The list of exports is unusually large for a program with seemingly no actual legitimate functionality,” he wrote. “Further, the imports and exports are completely different from those of the legitimate _BigBang.dll. It may be safely assumed these functions are present to thwart analysis.”
Next, the malicious DLL runs through a decryption and decompress routine. Eventually, the unpacker determines the location of the Windows’ Startup folder by querying the registry key “SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup” and an unpacked code places an HTML ransom note which is opened whenever the computer is started to ensure the victim knows how to recover their files, according the technical description.
“The analyzed sample was originally executed from a Windows shortcut (.lnk file). The shortcut points to rundll32.exe F0F3.tmp.dll,MSX3,” Fenton describes. Arguments for rundll32.exe will load F0F3.tmp.dll and then execute the MSX3 function. “Shortly after the MSX3 address is retrieved, execution jumps to that address and the file encryption and ransom behavior begins.”
SetinelOne says files are encrypted using a combination of RSA and RC4 with the a file extension of .cryp1, as opposed to earlier versions of CryptXXX that used .crypz and .crypt. Ransom payment analysis shows the Bitcoin address behind the ransomware has received 70 bitcoins between June 4 and June 21 with the average payout of 1.3 bitcoin ($766) from approximately 60 individuals or organizations.