CryptXXX ransomware has received a major overhaul by its authors, putting it on the fast track to unseat Locky as top moneymaker for criminals.
Researchers at Proofpoint said that on May 26, cybercriminals released an updated CryptXXX 3.100 version of the ransomware that includes a new StillerX credential-stealing module that gives attackers additional capabilities to monetize an attack. Proofpoint said StillerX targets the credentials of a wide range of applications such as casino software to Cisco VPN credentials.
Proofpoint researchers say CryptXXX authors have upped the ransomware’s feature set with a new StillerX credential-stealing module that gives attackers additional capabilities to monetize an attack. Proofpoint said StillerX targets the credentials of a wide range of applications such as casino software to Cisco VPN credentials.
“It absolutely looks like CryptXXX is the hot new kid on the block,” said Kevin Epstein, VP of Threat Operations Center at Proofpoint in an interview with Threatpost. “With TelsaCrypt exiting the ransomware business, CryptXXX looks to soon rival Locky via infection rates and distribution.”
Epstein says CryptXXX is being distributed by the same well-established group behind the Angler Exploit Kit. “We are looking at a very large attack surface for CryptXXX. Conservative estimate is 50,000 CryptXXX infections per day with revenue generation of $100,000 to $200,000 daily,” Epstein said.
CryptXXX’s distribution model differs from that of Locky, in that Locky ransomware is most often delivered via Dridex campaigns as a malicious email attachment. CryptXXX, according to Proofpoint, relies on driving traffic to malicious URLs infected with exploit kits.
CryptXXX has also been armed with the capability of sniffing out not just local and attached storage devices for files to encrypt. According to Proofpoint, the revamped CryptXXX scans the network gateway port 445 (used for Server Message Block) on computers in order to find “shared resources on the network, enumerating files in every shared directory, and encrypting them one by one,” wrote researchers in a blog post.
Besides a boost in core functionality, the 3.100 version of the ransomware also receives a new payment portal with mostly GUI improvements along with tweaks to the ransomware’s lock screen behavior.
“CryptXXX has been involved in very rapid development cycles,” Epstein said. The ransomware first appeared on Proofpoint’s radar screen in April 15. Researchers said at that time the ransomware was experiencing a steady climb in infection rates. That is until April 26 when Kaspersky Lab released the RannohDecryptor, a utility that helps recover files scrambled by CryptXXX.
According to a Kaspersky Lab support page, the RannohDecryptor utility worked on numerous updated versions of the CryptXXX ransomware. But last week, with the 3.100 release of CryptXXX, the RannohDecryptor was no longer able to decrypt files from the 3.100 version of the ransomware. However, Kaspersky Lab’s utility is still effective at recovering lost files to ransomware variants Rannoh, AutoIt, Fury, Crybola, and Cryaki.
CryptXXX is particularly nasty because it not only encrypts local files (encrypted files have a .crypt extension), but also copies files putting the victim at risk for identity theft and steals Bitcoins stored on the local hard drives.