When exploits kits, in particular Angler, spread ransomware infections, people get nervous.
The latest strain to appear in the virulent Angler kit is CryptXXX, which researchers at Proofpoint and Fox IT tied to the same group dropping old-school Reveton ransomware and Bedep click-fraud malware.
CryptXXX asks for a steep $500 in Bitcoin to unlock files it has encrypted, and given Angler’s penetration and frequent updates, CryptXXX quickly stepped to the forefront as ransomware to watch.
CryptXXX is particularly nasty because it not only encrypts local files (encrypted files have a .crypt extension), but also those on all attached storage shortly after the initial infection. The malware also has other capabilities beyond encrypting local files. It copies files putting the victim at risk for identity theft and steals Bitcoins stored on the local hard drives.
Researchers at Kaspersky Lab today published a solution for victims, a utility that helps recover files scrambled by CryptXXX.
Fedor Sinitsyn, senior malware analyst at Kaspersky Lab, said the malware contained an undisclosed weakness in the malware’s crypto implementation that opened the door to the development of the decryptor. The decryptor was added to an existing ransomware utility that also recovers files lost to Rannoh, AutoIt, Fury, Crybola, and Cryaki.
“It looks dangerous because of Angler (i.e. it has a potential for massive propagation),” Sinitsyn said. “Also, it has additional functionality to steal sensitive data, which is another big threat, even if the victim manages to decrypt the files.”
Sinitsyn said, the decryptor requires at least one original copy of a file encrypted by CryptXXX.
“If given a correct pair, the utility will decrypt all files with size less than or equal to the size of the file from the pair,” Sinitsyn said. “Most of the time the victim manages to find an original copy of one encrypted file. It can be on a disconnected flash drive, external hard drive, in their mailbox, in a cloud storage, on another PC, etc. In case of CryptXXX, if the victim finds a large original, it will allow to decrypt all affected files of this size or smaller.”
CryptXXX was spotted by Proofpoint researchers on April 15 when an Angler infection that was moving Bedep was also moving a ransomware payload and Dridex banking malware, the company said in a blog post.
The presence of Bedep tipped the researchers off that there may be more at play with CryptXXX. Bedep has been used in numerous other attacks to drop other malware such as the Pony password-stealing malware. In this case, Proofpoint said CryptXXX harvests data from instant messenger clients, local FTP client credentials, data from local mail clients, and browser information, including cookie data.
Reventon ransomware has been relatively quiet since February 2015 when it was spotted in Angler infections. Proofpoint noted a half-dozen similarities between Reveton and CryptXXX such as both are written in Delphi, both use the same custom command and control protocol and both have a delayed start before targeting attached storage.