CryptXXX Version 3.100 Updated with StillerX Infostealer

CryptXXX Version 3.100 Updated with StillerX Infostealer


In general, ransomware like CryptXXX/UltraCrypter sneaks into the victim’s computer and encrypts their files, appending an extension (.cryp1 in the case of UltraCrypter) and demanding payments in exchange for the files’ decryption. However, things can get more unfortunate, as ransomware operators continually update their code and upsurge the damage of their malicious campaigns.

This is what happened with the CryptXXX/UltraCrypter/Cryp1 story, which is currently even more convoluted than last week. Apparently, the cyber-criminal gang operating this crypto virus has now added an infostealer module set to harvest the passwords of the victim’s various applications. This module is dubbed StillerX. The current version of the ransomware is CryptXXX Version 3.100, and the extension used is .crypz.

More about StillerX Infostealer and CryptXXX Version 3.100

The StillerX module has been detected and analyzed by Proofpoint. According to their research, StillerX is just one of the many new features added to the crypto virus. The infostealer, however, is the most dangerous one, as it multiplies the damage of the malicious operation and further endangers the victim’s personal accounts (and information).

As pointed out by Proofpoint researchers, the addition of StillerX is mainly because of attempts to further monetize the CryptXXX Version 3.100 operations.

How Is the StillerX Infostealer Module Dropped onto the System?

The ransomware downloads a DLL file, designed to act as an infostealer. The name of the file is stiller.dll, stillerx.dll or stillerzzz.dll. Basically, the DLL works as a plugin but can also be used as a standalone stealer, without the ransomware, Proodpoint researchers explain.

The stealer, like the ransomware, is written in Delphi, and uses the object-oriented capabilities offered by the language. Its relatively large size on disk (around 1.2mb) is due to the static linking of several third party libraries such as DCPcrypt used for retrieving and decrypting locally stored credentials.

What Kind of Credentials Is StillerX After?

The infostealer DLL can affect a wide range of apps – from poker software to Cisco VPN logins. Browsers, applications, download managers, email clients, FTP software, instant messengers, proxy clients, dialer credentials, and passwords stored in WNetEnum’s cache and Microsoft’s Credential Manager can be affected.

The malware makes extensive use of inheritance and “abstract” classes. Child classes inherit from the abstract classes based on the type of targeted programs (for example, TModule_ICQ2003 inherits from TModule_IM_Abstract).

Furthermore, infostealers like StillerX are crafted to attack the internal databases of various software packages. They can extract both encrypted and cleartext passwords, and send them to an online server.

CryptXXX/UltraCrypter/Cryp1 Decryption Website Also Changed

One of the other major changes in Cryp1 is the employment of a new decryption website. After the “upgrade”, the website now has new graphics which no longer correspond to the CryptoWall ransomware family.

Besides the changes described in this article, CryptXXX Version 3.100 can now search and infect network drives.

Can Kaspersky Solutions Still Help with CryptXXX Version 3.100?

Researchers point out that even though Kaspersky Labs “were able to release an effective decryption tool quickly due to underlying similarities between CryptXXX and the older Rannoh ransomware, organizations and end users should not count on the presence of such a tool.” Instead, users and enterprises should be prepared and should backup their data effectively prior to a ransomware infection. What is more, the employment of an infostealer now puts companies and organizations at greater risk, making all of their credentials vulnerable to further cyber attacks.

Meanwhile, if you’re reading this article because you’re now a victim of a version of this nasty crypto virus, jump to our Cryp1, UltraCrypter removal article or our Crypz removal article to discover possible ways to recover your files. Another place for ransomware victims is our security forum where you can share your experience in the topic dedicated to Cryp1/ UltraCrypter ransomware.


Malware Removal Tool

Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter


Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share