• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Bad Sites   »   Will CryptXXX Replace TeslaCrypt After Ransomware Shakeup?

Will CryptXXX Replace TeslaCrypt After Ransomware Shakeup?

  • Posted on:May 20, 2016 at 9:19 am
  • Posted in:Bad Sites, Malware, Ransomware
  • Author:
    Trend Micro
0

by Jaaziel Carlos, Anthony Melgarejo, Rhena Inocencio, and Joseph C. Chen

The departure of TeslaCrypt from the ransomware circle has gone and made waves in the cybercriminal world. Bad guys appear to be jumping ships in hopes of getting a chunk out of the share that was previously owned by TeslaCrypt. In line with this recent event, indicators are pointing to a new strong man in the ransomware game: CryptXXX.

CryptXXX (detected as RANSOM_WALTRIX.C) has been the recipient of recent updates; one of which took place after a free decryption tool surfaced that allowed victims to disregard the ransom. Not only does it encyrpt files, recent CryptXXX variants now have a lockscreen technique that prevents users from accessing their desktops.

Arrival Vector

CryptXXX is spread via compromised websites and malvertising hosting Angler exploit kits.

Figure 1. CryptXXX infection vector via Angler EK

Once a user visits the compromised site or clocks on a malicious ad, CryptXXX is dropped by variants of BEDEP malware. Once it arrives in a computer, it first checks if it’s running on a virtual environment. If it detects this, it terminates itself.

What makes CryptXXX difficult to stop is that it runs alongside a watchdog program. CryptXXX runs two simultaneous routines; one that encrypts, and the other to detect abnormal system behavior. When the watchdog detects abnormal system behavior that halts the encryption process, it restarts the encryption routine. This results in a cycle of stopping the malware, and the watchdog restarting the malware.

figure02_cryptxxxt

Figure 2. CryptXXX running simultaneous processes as svchost.exe

CryptXXX encrypts all files with the following extensions:

.3DM, .3DS, .3G2, .3GP, .7Z, .ACCDB, .AES, .AI, .AIF, .APK, .APP, .ARC, .ASC, .ASF, .ASM, .ASP, .ASPX, ASX, .AVI, .BMP, .BRD, .BZ2, .C, .CER, .CFG, .CFM, .CGI, .CGM, .CLASS, .CMD, .CPP, .CRT,  .CS, .CSR, .CSS, .CSV, .CUE, .DB, .DBF, .DCH, .DCU, .DDS, .DIF, .DIP, .DJV, .DJVU, .DOC, .DOCB, .DOCM, .DOCX, .DOT, .DOTM, .DOTX, .DTD, .DWG, .DXF, .EML, .EPS, .FDB, .FLA, .FLV, .FRM, .GADGET, .GBK, .GBR, .GED, .GIF, .GPG, .GPX, .GZ, .H, .H, .HTM, .HTML, .HWP, .IBD, .IBOOKS, .IFF, .INDD, .JAR, .JAVA, .JKS, .JPG, .JS,  .JSP, .KEY, .KML, .KMZ, .LAY, .LAY6, .LDF, .LUA, .M, .M3U, .M4A, .M4V, .MAX, .MDB, .MDF, .MFD, .MID, .MKV, .MML, .MOV, .MP3, .MP4, .MPA, .MPG, .MS11, .MSI, .MYD, .MYI, .NEF, .NOTE, .OBJ, .ODB, .ODG, .ODP, .ODS, .ODT, .OTG, .OTP, .OTS, .OTT, .P12, .PAGES, .PAQ, .PAS, .PCT, .PDB, .PDF, .PEM, .PHP, .PIF, .PL, .PLUGIN, .PNG, .POT, .POTM, .POTX, .PPAM, .PPS, .PPSM, .PPSX, .PPT, .PPTM, .PPTX, .PRF, .PRIV,  .PRIVAT, .PS, PSD, .PSPIMAGE, .PY, .QCOW2, .RA, .RAR, .RAW, .RM, .RSS, .RTF, .SCH, .SDF, .SH, .SITX,  .SLDX, .SLK, .SLN, .SQL, .SQLITE, .SQLITE, .SRT, .STC, .STD, .STI, .STW, .SVG, .SWF, .SXC, .SXD, .SXI,   .SXM, .SXW, .TAR, .TBK, .TEX, .TGA, .TGZ, .THM, .TIF, .TIFF, .TLB, .TMP, .TXT,  .UOP, .UOT, .VB, .VBS,  .VCF, .VCXPRO, .VDI, .VMDK, .VMX,  .VOB, .WAV, .WKS,  .WMA, .WMV, .WPD,  .WPS,  .WSF,  .XCODEPROJ, .XHTML, .XLC, .XLM, .XLR, .XLS, .XLSB, .XLSM, .XLSX, .XLT,  .XLTM, .XLTX, .XLW,  .XML,  .YUV,.ZIP,  .ZIPX

It also locks the screens of the user preventing access to any other tool. As previously mentioned, this seems like a reaction to the previous decrypter tool that spawned for its previous version of CryptXXX. Users could still access the pay site through the links provided in the ransom note.

fogure03_ransomnote

Figure 3. CryptXXX ransom note

Another peculiar change that CryptXXX introduced is a long waiting period before doubling the ransom amount. While other ransomware families double their price in as little as 24 hours, CryptXXX gives the users 90+ hours to pay the ransom before it doubles. Unlike ransomware families that rush users into paying, like JIGSAW, CryptXXX gives users ample time to come up with the ransom money.

Figure 4. Payment link showing 90+ hours to pay US$500 before payment is doubled

With updated routines, and a friendlier ransom proposition, many cybercriminals are sure to flock over CryptXXX. We expect further updates to be made by the writers to make this ransomware a nightmare for users who do not have proper ransomware solutions.

Stopping Ransomware

Angler EK is perhaps one of the most notorious exploit kits that victimized hundreds of sites and been a part of countless malvertising attempts. Users should always regularly patch or update their programs, software, and applications with the latest versions to protect themselves against vulnerability abuses. Users should also follow the 3-2-1 rule in backing up files; create three backup copies in two different media, with one of the backups stored in a separate location.

Given that ransomware can also be spread via spam mail attachments or links in spam messages, users should avoid opening unverified emails or clicking on embedded links.

Trend Micro says NO to ransomware. We strongly advise users not to pay ransom demands as it fuels cybercrime and promotes further propagation of ransomware.

Trend Micro offers different solutions to protect enterprises, small businesses, and home users to help minimize the risk of getting affected by ransomware, such as CryptXXX.

Enterprises can benefit from a multi-layered, step-by-step approach in order to best mitigate the risks brought by these threats. Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security prevents ransomware from ever reaching end users. At the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like behavior monitoring and application control, and vulnerability shielding that minimize the impact of this threat. Trend Micro Deep Discovery Inspector detects and blocks ransomware on networks, while Trend Micro Deep Security™ stops ransomware from reaching enterprise servers–whether physical, virtual or in the cloud.

For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware.

For home users, Trend Micro Security 10 provides robust protection against ransomware, by blocking malicious websites, emails, and files associated with this threat.

Users can likewise take advantage of our free tools such as the Trend Micro Lock Screen Ransomware Tool, which is designed to detect and remove screen-locker ransomware; as well as Trend Micro Crypto-Ransomware File Decryptor Tool, which can decrypt certain variants of crypto-ransomware without paying the ransom or the use of the decryption key.

Related Hashes:

  • DF7E00A7DE1C584F0BF71BB583673A9CA4511AEF – Ransom_WALTRIX.C
  • ADCE8CF4C31F1980C2B1D952A5A931D7C8DCDD8C – Ransom_WALTRIX.C
  • B3CA5D55F0D38AC78A86A36323A8498854E3FA80 – Ransom_WALTRIX.C

Update as of May 23, 2016, 7:54 PM (UTC-7)

Trend Micro has released free tools to aid users in gaining access back to their encrypted files and lock screens. Our Ransomware File Decryptor supports CryptXXX v2 as well as TeslaCrypt (versions 1, 3, and 4).

Updated on May 24, 2016, 3:05 AM (UTC-7)

We updated this entry to include the specific coverage of our decryptor tool.

Updated on May 26, 2016, 6:16 AM (UTC-7)

We updated the solutions segment of this entry.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: Angler Exploit Kitcrypto-ransomwareCryptXXX

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.