by Jaaziel Carlos, Anthony Melgarejo, Rhena Inocencio, and Joseph C. Chen
The departure of TeslaCrypt from the ransomware circle has gone and made waves in the cybercriminal world. Bad guys appear to be jumping ships in hopes of getting a chunk out of the share that was previously owned by TeslaCrypt. In line with this recent event, indicators are pointing to a new strong man in the ransomware game: CryptXXX.
CryptXXX (detected as RANSOM_WALTRIX.C) has been the recipient of recent updates; one of which took place after a free decryption tool surfaced that allowed victims to disregard the ransom. Not only does it encyrpt files, recent CryptXXX variants now have a lockscreen technique that prevents users from accessing their desktops.
Arrival Vector
CryptXXX is spread via compromised websites and malvertising hosting Angler exploit kits.
Figure 1. CryptXXX infection vector via Angler EK
Once a user visits the compromised site or clocks on a malicious ad, CryptXXX is dropped by variants of BEDEP malware. Once it arrives in a computer, it first checks if it’s running on a virtual environment. If it detects this, it terminates itself.
What makes CryptXXX difficult to stop is that it runs alongside a watchdog program. CryptXXX runs two simultaneous routines; one that encrypts, and the other to detect abnormal system behavior. When the watchdog detects abnormal system behavior that halts the encryption process, it restarts the encryption routine. This results in a cycle of stopping the malware, and the watchdog restarting the malware.
Figure 2. CryptXXX running simultaneous processes as svchost.exe
CryptXXX encrypts all files with the following extensions:
.3DM, .3DS, .3G2, .3GP, .7Z, .ACCDB, .AES, .AI, .AIF, .APK, .APP, .ARC, .ASC, .ASF, .ASM, .ASP, .ASPX, ASX, .AVI, .BMP, .BRD, .BZ2, .C, .CER, .CFG, .CFM, .CGI, .CGM, .CLASS, .CMD, .CPP, .CRT, .CS, .CSR, .CSS, .CSV, .CUE, .DB, .DBF, .DCH, .DCU, .DDS, .DIF, .DIP, .DJV, .DJVU, .DOC, .DOCB, .DOCM, .DOCX, .DOT, .DOTM, .DOTX, .DTD, .DWG, .DXF, .EML, .EPS, .FDB, .FLA, .FLV, .FRM, .GADGET, .GBK, .GBR, .GED, .GIF, .GPG, .GPX, .GZ, .H, .H, .HTM, .HTML, .HWP, .IBD, .IBOOKS, .IFF, .INDD, .JAR, .JAVA, .JKS, .JPG, .JS, .JSP, .KEY, .KML, .KMZ, .LAY, .LAY6, .LDF, .LUA, .M, .M3U, .M4A, .M4V, .MAX, .MDB, .MDF, .MFD, .MID, .MKV, .MML, .MOV, .MP3, .MP4, .MPA, .MPG, .MS11, .MSI, .MYD, .MYI, .NEF, .NOTE, .OBJ, .ODB, .ODG, .ODP, .ODS, .ODT, .OTG, .OTP, .OTS, .OTT, .P12, .PAGES, .PAQ, .PAS, .PCT, .PDB, .PDF, .PEM, .PHP, .PIF, .PL, .PLUGIN, .PNG, .POT, .POTM, .POTX, .PPAM, .PPS, .PPSM, .PPSX, .PPT, .PPTM, .PPTX, .PRF, .PRIV, .PRIVAT, .PS, PSD, .PSPIMAGE, .PY, .QCOW2, .RA, .RAR, .RAW, .RM, .RSS, .RTF, .SCH, .SDF, .SH, .SITX, .SLDX, .SLK, .SLN, .SQL, .SQLITE, .SQLITE, .SRT, .STC, .STD, .STI, .STW, .SVG, .SWF, .SXC, .SXD, .SXI, .SXM, .SXW, .TAR, .TBK, .TEX, .TGA, .TGZ, .THM, .TIF, .TIFF, .TLB, .TMP, .TXT, .UOP, .UOT, .VB, .VBS, .VCF, .VCXPRO, .VDI, .VMDK, .VMX, .VOB, .WAV, .WKS, .WMA, .WMV, .WPD, .WPS, .WSF, .XCODEPROJ, .XHTML, .XLC, .XLM, .XLR, .XLS, .XLSB, .XLSM, .XLSX, .XLT, .XLTM, .XLTX, .XLW, .XML, .YUV,.ZIP, .ZIPX
It also locks the screens of the user preventing access to any other tool. As previously mentioned, this seems like a reaction to the previous decrypter tool that spawned for its previous version of CryptXXX. Users could still access the pay site through the links provided in the ransom note.
Figure 3. CryptXXX ransom note
Another peculiar change that CryptXXX introduced is a long waiting period before doubling the ransom amount. While other ransomware families double their price in as little as 24 hours, CryptXXX gives the users 90+ hours to pay the ransom before it doubles. Unlike ransomware families that rush users into paying, like JIGSAW, CryptXXX gives users ample time to come up with the ransom money.
Figure 4. Payment link showing 90+ hours to pay US$500 before payment is doubled
With updated routines, and a friendlier ransom proposition, many cybercriminals are sure to flock over CryptXXX. We expect further updates to be made by the writers to make this ransomware a nightmare for users who do not have proper ransomware solutions.
Stopping Ransomware
Angler EK is perhaps one of the most notorious exploit kits that victimized hundreds of sites and been a part of countless malvertising attempts. Users should always regularly patch or update their programs, software, and applications with the latest versions to protect themselves against vulnerability abuses. Users should also follow the 3-2-1 rule in backing up files; create three backup copies in two different media, with one of the backups stored in a separate location.
Given that ransomware can also be spread via spam mail attachments or links in spam messages, users should avoid opening unverified emails or clicking on embedded links.
Trend Micro says NO to ransomware. We strongly advise users not to pay ransom demands as it fuels cybercrime and promotes further propagation of ransomware.
Trend Micro offers different solutions to protect enterprises, small businesses, and home users to help minimize the risk of getting affected by ransomware, such as CryptXXX.
Enterprises can benefit from a multi-layered, step-by-step approach in order to best mitigate the risks brought by these threats. Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security prevents ransomware from ever reaching end users. At the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like behavior monitoring and application control, and vulnerability shielding that minimize the impact of this threat. Trend Micro Deep Discovery Inspector detects and blocks ransomware on networks, while Trend Micro Deep Security™ stops ransomware from reaching enterprise servers–whether physical, virtual or in the cloud.
For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware.
For home users, Trend Micro Security 10 provides robust protection against ransomware, by blocking malicious websites, emails, and files associated with this threat.
Users can likewise take advantage of our free tools such as the Trend Micro Lock Screen Ransomware Tool, which is designed to detect and remove screen-locker ransomware; as well as Trend Micro Crypto-Ransomware File Decryptor Tool, which can decrypt certain variants of crypto-ransomware without paying the ransom or the use of the decryption key.
Related Hashes:
- DF7E00A7DE1C584F0BF71BB583673A9CA4511AEF – Ransom_WALTRIX.C
- ADCE8CF4C31F1980C2B1D952A5A931D7C8DCDD8C – Ransom_WALTRIX.C
- B3CA5D55F0D38AC78A86A36323A8498854E3FA80 – Ransom_WALTRIX.C
Update as of May 23, 2016, 7:54 PM (UTC-7)
Trend Micro has released free tools to aid users in gaining access back to their encrypted files and lock screens. Our Ransomware File Decryptor supports CryptXXX v2 as well as TeslaCrypt (versions 1, 3, and 4).
Updated on May 24, 2016, 3:05 AM (UTC-7)
We updated this entry to include the specific coverage of our decryptor tool.
Updated on May 26, 2016, 6:16 AM (UTC-7)
We updated the solutions segment of this entry.
