One of the most devastating file-encryption viruses – CryptXXX has released a new variant, that has been dubbed “Microsoft Decryptor”. The virus includes a link to a new web page and a fresh new ransom note. Another development of this virus is that it does not make any changes to the appearance of the encrypted files, meaning that it does not change their names or add custom file extensions, unlike the previous versions.
CryptXXX Uses Neutrino Exploit Kit
A Neutrino Exploit Kit detection has been analyzed by the researcher at SANS Internet Storm Center Brian Duncan to directly drop CryptXXX Ransomware’s files on infected computers. The Neutrino EK’s attack was done via injecting a malicious script from a compromised website, reportedly associated with the “pseudoDarkleech” malware campaign.
The researcher managed to find the IP address of the host injecting the Exploit Kit on the compromised computer to be 220.127.116.11.
In addition to that, it was also discovered that after the computer has been infected with the CryptXXX latest variant, the traffic let to the following host – 18.104.22.168.
The Neutrino Kit (Former Angler EK which is now dead) first sends a so-called Flash Exploit which is common in Zero-Day attacks, meaning that this script may take advantage of older versions of software components of Windows to infect the computer. One of those components may be an old version of Flash Player, for example.
After this has been done, the Exploit Kid initiates the actual payload dropping process, by executing another script and dropping the files and the ransom note of the virus from a remote host.
CryptXXX and Ransomware In General – Summary, More Information and Guidance
CryptXXX is a virus which has dealt a lot of damage to users and by some is even considered the leader regarding damage amongst other ransomware viruses. Not only this, but the virus has also featured previous versions that have broken decryptors. This was devastating for some users because their chances to decrypt CryptXXX encoded files significantly dropped down.
Here is related information about the previous versions of CryptXXX Ransomware which have been analyzed:
Remove CryptXXX Ransomware and Restore .crypt Encrypted Files
Remove CryptXXX 2.0 Ransomware and Restore .crypt Encrypted
Remove CryptXXX 3.0 Ransomware and Restore .Crypt Encrypted Files
CryptXXX Version 3.100 Updated With StillerX InfoStealer
Remove Cryp1 (UltraCrypter) Ransomware and Restore .Cryp1 Files
After the whole CryptXXX menace became huge, malware researchers all over the world united and stroke back, creating several working decryptors for the many variants of CryptXXX:
Cryp1 Decrypter – by Trend Micro
Rannoh Decryptor for CryptXXX’s 1st Version – by Kaspersky
Decrypting RSA Encrypted Files Using Factorization and Python – by various malware researchers
Users can also find instruction videos online to help them try decryption and successfully remove CryptXXX Ransomware which should be done swiftly:
The bottom line for Ransomware viruses like CryptXXX, in general, is that during the year 2016 it is experiencing a “boom” since more and more viruses come out. And due to the huge variety of viruses, variants and number of cyber-criminals, the job for the law to catch them is very challenging. What is even worse is that the Deep Web offers ransomware for prices that may range from hundreds to thousands of dollars. There is even a Hidden Tear project which is open source and with enough skill anyone can create a Ransomware virus for free. This is very dangerous, and we strongly advise users to increase the protection of their files.
This has concerned us as both users and researchers in this field, and this is why we have decided to see how users store their data and hopefully give tips on how to stay safe from the dynamic environment of the evolved 21st-century criminals.
To learn how to protect your data from malware, please check the following research: