CryptXXX, 7ev3n Ransomware Get Major Updates

ransomwarestrains-updateApparently, there’s more to than Hollywood gossip. On Tuesday, the famed celebrity news portal is reportedly hurdling yet another cybersecurity hiccup after it was identified serving malicious ads to its 500,000 daily site visitors. This is similar to an incident last year, when the controversial website was affected by a malvertising campaign that injected poisoned ads to heavy-traffic websites like The Drudge Report, CBS Sports, Yahoo, Verizon FiOS, and eBay UK, among others.

Security researcher Nick Bilogorskiy notes that just like last year’s security issue, unknowing users are once again redirected to what is known as one of the most active and dangerous exploit kits, Angler. He says, “After browser exploitation, Angler typically drops Bedep malware which will further download and infect the victim’s machine with CryptXXX ransomware.”

This is reminiscent of the malvertising campaigns that recently preyed on Google’s blogging platform, Blogspot, security information online channel VirusBulletin, and the websites of CBS-affiliated TV stations. It goes without saying that malicious ads remain an effective and preferred vessel for delivering malware—playing on an unwitting site visitor’s trust on browsing through heavy-traffic legitimate websites. The Register notes, “Malvertising attacks are highly successful because it exploits weaknesses in the global online advertising structure where high-pace and low-profit margins leave little room for complex buyer and content integrity checks.”

[Read: Poisoned online ads: how do they work?]

Ransomware 2.0

According to initial reports, the malvertising attack that affected the Hollywood celebrity news site delivers a recent ransomware variant called CryptXXX. Likely a descendant of the earlier Reveton ransomware, CryptXXX gained traction after making its rounds around the latter part of March, 2016.

With qualities reminiscent of Reveton that significantly led to its history of success in widespread distribution and the connection with Angler EK as one of the most active exploit kits, security analysts were quick to raise a red flag on the surfacing of CryptXXX as it could potentially do a lot of damage once it reaches the hands of well-versed cyber crooks—similar to how Locky managed to infect victims across different sectors.

Barely a month after it was discovered, researchers spotted a significant update to the ransomware strain. Shortly after it made the news, a free decryption tool emerged that could decrypt the kidnapped files—essentially allowing victims to download the decrypter and disregard the ransom. However, cybercriminals behind CryptXXX were quick to respond to this “embarrassment” by modifying the ransomware to make it more effective, aptly calling it CryptXXX 2.0.

Now, the ransomware is also able to lock the affected system's screen, rendering it useless. This means that victims have to use a different machine in order to follow payment instructions to obtain the key for the encrypted files. Apart from this, the ransom message is now unique per victim.

In a follow-up blog post, researchers at Proofpoint note, “CryptXXX is being actively maintained: we have seen it evolve multiple times since our initial discovery, but the changes did not appear significant enough to be mentioned.” The post went on to say, “As expected, the number of actors spreading it has increased, making it one of the most commonly seen ransomware families.”

CryptXXX is not the only ransomware strain that has been known to have undergone a recent facelift. Instead of harnessing its technical aspect to make it even more destructive, cybercriminals behind another ransomware family, 7ev3n, leaned on making the malware “friendlier”.

At the onset of the year, this new ransomware strain was spotted featuring the ability to modify several system settings. Besides encrypting files, this feature disables the computer’s keyboard keys and system recovery options, thus, ruling out any chance a victim can get to bypass the locked screen. To make it even more problematic, a hefty ransom of 13 bitcoins, or almost US$5,000, is demanded—one of the biggest amounts demanded by a data kidnapper.

The recent modification did not intensify the malware’s encrypting capabilities. Renamed to "7ev3n-Hone$t", the new version was updated to be more "user-friendly" and affordable with a dramatically lowered ransom of 0.5 to  1 bitcoin, (around US$400). The user interface is now also offering several payment options, even a discount given to victims who paid the full ransom amount. Also, getting infected by the malware does not necessarily mean that the entire computer system gets locked. The ransom note is simply overlaid on top of the screen. The programs still remain accessible, albeit not seen clearly.

With the malvertising attack that turned into a vessel for ransomware distribution, it is not clear whether the CryptXXX variant that the malicious ads lead to is the updated version or not. However, with these recent updates, researchers warn that the rapid change and evolution seen in any ransomware variant shows continuous efforts from cybercriminals to make their malware more effective and lucrative. Security experts and tech firms may continue to release new decryption tools in the future, but this might only trigger malware authors to create even more destructive products.

Trend Micro endpoint solutions such as Trend Micro™ Security, Smart Protection Suites, and Worry-Free™ Business Security can protect users and businesses from this threat. Strong password policies and the disabling of automatic macro loading in Office programs, along with regular patching schedules, are also among the valid and tested ways to keep ransomware at bay. And despite this threat's attempt to render backup files useless, it is still an effective defense.Additionally, Trend Micro™ Deep Security provides advanced server security for physical, virtual, and cloud servers. It protects enterprise applications and data from breaches and business disruptions without requiring emergency patching. This comprehensive, centrally-managed platform helps simplify security operations while enabling regulatory compliance and accelerating the ROI of virtualization and cloud projects.

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.