Check Point Threat Alert: CryptXXX Ransomware

CryptXXX ransomware has been observed in the wild as of March 2016, delivered via the Angler Exploit Kit and spread through the Bedep trojan. The ransomware is demanding a $500 ransom to be paid in order to recover the encrypted files on a machine, and provides the victim the possibility to decrypt one file for free. If the victim does not pay the ransom after a few days the demand is doubled. It appears that the new ransomware is operated by the same threat actors behind the Reveton ransomware, and due to similarities in the infection vector and in the code, it is suspected that there is a connection between the actors and the operators of the Angler exploit kit. On April 26, Kaspersky released a decryptor for the ransomware, for machines running the Windows Operating System. The executable can be downloaded from the company’s Support Center (on this link).

  • CryptXXX ransomware has been first identified by researchers in April 2016. The malware is dropped as a second-stage infection by the Bedep trojan, a malware which features downloader capabilities. The machine infection process is caused by the Angler Exploit Kit, the most popular exploit kit found in the wild these days.
  • The ransomware is shipped to the victim as a delayed execution DLL which waits 62 minutes to launch – a function which makes it harder for the victims to connect the incident to the source of infection. Delaying the execution is also a known VM evasion technique, especially when using a random time of delay. It then encrypts the files found on the infected machine and adds to the filename the .crypt extension.
  • Similarly to other famous ransomwares such as Locky, CryptXXX notifies its victims a successful infection has taken place and files have been encrypted by creating three types of files – de_crypt_readme.txt, de_crypt_readme.bmp, de_crypt_readme.html.
  • In addition to encryption, CryptXXX also has info-stealing capabilities and it steals Bitcoins, credentials and other sensitive data. This function comes in line with the fact that Bedep trojan is known to be a dropper of info-stealing malwares – it has been used to spread the Pony info-stealer as of November 2014 until the end of 2015.
  • There are many similarities between the new CryptXXX and Reveton ransomware, among them are the delayed launch, the use of Delphi programming language and the Bitcoin and credential stealing functions.
  • It is also suspected that there is a connection between the ransomware and the group behind the Angler exploit kit and Bedep trojan. This assumption is based on similarities in the attack vector and in the malware’s name – The real name of Angler exploit kit is XXX, and this name was found on two strings in the unpacked binary – Z:\CryptProjectXXX\Loader\InstDecode.pas, Z:\CryptProjectXXX\Loader\DDetours.pas.

Check Point protects its customers from CryptXXX ransomware, Reveton ransomware and Bedep trojan with our Anti-Bot and Anti- Virus blades:

  • Anti-Bot blade includes post infection reputation signatures for known C&C servers of Bedep, and network signatures which block communications with the C&C servers of CryptXXX, Reventon and Bedep.
    • Trojan-Ransom.Win32.CryptXXX.A
    • Trojan.Win32.Reveton.E
    • Trojan.Win32.Reveton.F
    • Backdoor.Win32.Bedepshel.A
    • Trojan.Win32.Bedep.A
  • Anti-Virus blade includes signatures for files related to CryptXXX, Reventon and Bedep and for known domains used to distribute Bedep.

Check Point protects its customers from attacks delivered via the Angler Exploit Kit at each stage of the redirection chain prior to the infection with our IPS blade:

Check Point recommends activating the above IPS protections in Prevent mode.