CryptXXX ransomware has been observed in the wild as of March 2016, delivered via the Angler Exploit Kit and spread through the Bedep trojan. The ransomware is demanding a $500 ransom to be paid in order to recover the encrypted files on a machine, and provides the victim the possibility to decrypt one file for free. If the victim does not pay the ransom after a few days the demand is doubled. It appears that the new ransomware is operated by the same threat actors behind the Reveton ransomware, and due to similarities in the infection vector and in the code, it is suspected that there is a connection between the actors and the operators of the Angler exploit kit. On April 26, Kaspersky released a decryptor for the ransomware, for machines running the Windows Operating System. The executable can be downloaded from the company’s Support Center (on this link).
DESCRIPTION

  • CryptXXX ransomware has been first identified by researchers in April 2016. The malware is dropped as a second-stage infection by the Bedep trojan, a malware which features downloader capabilities. The machine infection process is caused by the Angler Exploit Kit, the most popular exploit kit found in the wild these days.
  • The ransomware is shipped to the victim as a delayed execution DLL which waits 62 minutes to launch – a function which makes it harder for the victims to connect the incident to the source of infection. Delaying the execution is also a known VM evasion technique, especially when using a random time of delay. It then encrypts the files found on the infected machine and adds to the filename the .crypt extension.
  • Similarly to other famous ransomwares such as Locky, CryptXXX notifies its victims a successful infection has taken place and files have been encrypted by creating three types of files – de_crypt_readme.txt, de_crypt_readme.bmp, de_crypt_readme.html.
  • In addition to encryption, CryptXXX also has info-stealing capabilities and it steals Bitcoins, credentials and other sensitive data. This function comes in line with the fact that Bedep trojan is known to be a dropper of info-stealing malwares – it has been used to spread the Pony info-stealer as of November 2014 until the end of 2015.
  • There are many similarities between the new CryptXXX and Reveton ransomware, among them are the delayed launch, the use of Delphi programming language and the Bitcoin and credential stealing functions.
  • It is also suspected that there is a connection between the ransomware and the group behind the Angler exploit kit and Bedep trojan. This assumption is based on similarities in the attack vector and in the malware’s name – The real name of Angler exploit kit is XXX, and this name was found on two strings in the unpacked binary – Z:\CryptProjectXXX\Loader\InstDecode.pas, Z:\CryptProjectXXX\Loader\DDetours.pas.

CHECK POINT PROTECTIONS
Check Point protects its customers from CryptXXX ransomware, Reveton ransomware and Bedep trojan with our Anti-Bot and Anti- Virus blades:

  • Anti-Bot blade includes post infection reputation signatures for known C&C servers of Bedep, and network signatures which block communications with the C&C servers of CryptXXX, Reventon and Bedep.
    • Trojan-Ransom.Win32.CryptXXX.A
    • Trojan.Win32.Reveton.E
    • Trojan.Win32.Reveton.F
    • Backdoor.Win32.Bedepshel.A
    • Trojan.Win32.Bedep.A
  • Anti-Virus blade includes signatures for files related to CryptXXX, Reventon and Bedep and for known domains used to distribute Bedep.

Check Point protects its customers from attacks delivered via the Angler Exploit Kit at each stage of the redirection chain prior to the infection with our IPS blade:

Check Point recommends activating the above IPS protections in Prevent mode.
TECHNICAL REFERENCES


  1. These IPS protections saved us recently when a .doc came through with macros that reached out to download more malware. The other IPS that’s been helping protect us is the one that catches .js scripts in zip file attachments. That has stopped about 95% of email attachments that were previously undetected.

  2. Greatе post. Keep wrіting such kind of infⲟ on yoսr page.
    Im reаlly imρressed by your site.
    Hey there, You have done an incredible job. Ι wіll certainlʏ diɡg it and in mʏ
    opinion suggest to my friends. I’m sure they will be benefited fгom thiѕ web site.

  3. Hеllo I am so thrillеd I found your web site, I really found yߋu by
    error, while I was resеarching on Yahoo for something else, Anyhow I ɑm here now and woᥙld
    just like to say kudos for a tremеndоus post and a all round thrilling blog (I also
    love the theme/design), I don’t have time to go through it all
    ɑt the minute but I have saved it and also ɑdded in your RSS feeds,
    so when I hɑve time I will ƅe bɑck to read a great
    deal more, Please do keep up the fantastic jⲟb.

  4. TҺis design is wicked! You definitely know how to keep a readеr ᥱntertained.

    Between your ԝit and your videos, I was almost
    moved to start my own blog (well, almost…HaHa!) Fantastic job.
    I really enjoyed what you ɦad to say, and more than that, Һow you presented it.
    Too cool!

  5. Hi there! Do yoᥙ know іf they make any plugins to safeguard against hackers?
    I’m kinda parаnoid about losing eveгything I’ve workeԁ harԁ
    on. Any tips?

  6. Hello veгy cool blog!! Man .. Exϲellent .. Amazing ..
    I’ll bοokmark your blog and take thе feeds alsߋ?
    I’m happy to search out so many useful information right here in the pսblish, we need deveⅼop extra strategies
    in this regard, thank you for sharing. . . . .
    .

Comments are closed.