A new ransomware strain was recently discovered to have started making its rounds since the tail-end of March. On Monday, researchers at Proofpoint, together with added intelligence from security analyst Frank Ruiz, uncovered a new ransomware called “CryptXXX”, which is described to have a stark connection with Reveton, an earlier discovered ransomware type.
This ransomware is spread by BEDEP malware, following a system infection caused by the Angler Exploit Kit (EK). In the released blog post, the researchers described “an Angler EK into BEDEP pass pushing both a ransomware payload and Dridex 222.” This means that web pages hosting the Angler exploit kit were distributing CryptXXX. The kit then capitalizes on vulnerabilities on a system to push the download of BEDEP. Given its “malware-downloading” capabilities, CryptXXX arrives as a second-stage infection—shipped as a delayed execution DLL, which waits for at least 62 minutes to launch. Upon execution of the ransomware, it encrypts the infected system’s files and appends a .crypt extension to the filename.
[Read: The Evolution of Ransomware]
Similar to other ransomware families, particularly Locky, TeslaCrypt, and Cryptowall, this variant creates three file types (de_crypt_readme.bmp, de_crypt_readme.txt, de_crypt_readme.html) to signal and notify the victim of system compromise and to demand payment of the ransom to regain access of the files. According to the researchers, the ransomware demands a rather lofty ransom of $500 per system—a far cry from common ransom payments seen in the past. Further, CryptXXX evades detection through its “anti-VM and anti-analysis functions”, wherein it checks CPU name in the registry and installs a so-called hook procedure to monitor mouse activity.
CryptXXX is also found to possess Bitcoin-stealing abilities, aside from harvesting credentials and other personal information from its target. Trend Micro researchers have found that it can steal data from FTP, instant messaging, and mail applications. According to the blog entry, “We were expecting this because that instance of BEDEP has a long history of dropping information stealers in its update stream. Specifically, it dropped Pony from November 2014 until mid-December 2015. It replaced Pony with an undocumented “private stealer” until mid-March 2016. We believe that the information stealing functions in this ransomware are the same as in the “private stealer” distributed by this instance of BEDEP.”
The Reveton connection
Based largely on the researchers’ analysis of the infection vector and its history, it is established that the CryptXXX is significantly linked to the group that ran Angler and BEDEP. It was also reported that the name of the ransomware was based on two strings seen containing the characters XXX, which is known to be the real name of the Angler exploit kit, whose masterminds are also known to be behind Cool EK and Reveton.
While investigations and analysis of CryptXXX are still ongoing, the researchers behind the discovery are raising a red flag on its potential widespread impact. Other variants that have surfaced more recently may not have gained alarming impact because of less-skilled and experienced minds behind them, CryptXXX doesn’t appear to be just a passing threat.
The blog reads, “Given Reveton's long history of successful and large-scale malware distribution, we expect CryptXXX to become widespread.” Aside from this, since Angler EK has the highest number in terms of volume, it could cause more damage once more well-versed bad actors get their hands on this attack form, much like how Locky instantly caused a stir when it hit several sectors.
Today’s ransomware landscape has significantly evolved from initial sightings of the spread of a scareware issuing empty threats to the development of a lethal data-encrypting malware that locks down files and systems. Much more recently, the continuing surge of newer and more sophisticated variants of ransomware has pushed authorities to shore up their efforts on combating the ongoing ransomware epidemic.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.