CryptXXX Ransomware Gets an Overhaul, Now Known as UltraCrypter?

Developers of the CryptXXX ransomware (identified by Trend Micro as RANSOM_WALTRIX.C) have made several changes to the user interface (UI), ransom note and website of its payment and decryption services, creating their own templates for each. They have also renamed their decryptor tool to “UltraDecrypter,” which could indicate the ransomware’s name change from CryptXXX to UltraCrypter.

According to a report by malware and computer forensics expert Lawrence Abrams, this latest version of CryptXXX does away with the layout and design it copied from CryptoWall (detected by Trend Micro as TROJ_CRYPWALL.D), another strain of ransomware. Its decryption service and payment page, which can be accessed via the Tor network, is offering multi-language support for at least 25 countries. The main page shows the victim’s OS version and IP address, while the tabbed subpages feature FAQs and instructions about buying the UltraDeCrypter tool using the Bitcoin crypto-currency.

 [Read: Millions of Amazon Users Targeted with Locky Ransomware Via Phishing Scams]

Like other variants of the CryptXXX family, the ransomware arrives via exploit kits and trojans that download the malware from the its command and control (C&C) server, typically found on compromised websites serving malicious ads. When the exploit kit is run, it scans the user’s computer for programs and applications with security flaws and attempts to exploit them in order to install and execute the ransomware. CryptXXX also infects users via socially engineered spam emails containing malicious attachments and URLs.

The latest version of the ransomware appends every encrypted file with a .crypt1 extension. After locking the computer’s screen, it changes the desktop wallpaper to a newly designed image similar to its revamped Tor payment site. It also leaves an HTML file in folders and directories that have an encrypted file, containing a personal ID and link to the ransomware’s payment site. The victim is given 90+ hours to pay, after which the ransom doubles to two Bitcoins.

CryptXXX was notable in that it was recipient of successive updates since its discovery last April. Just last week, the malware’s authors implemented a new encryption algorithm, updating it as CryptXXX 3.0. This version implemented a new encryption algorithm to prevent victims from unlocking their devices for free by using publicly available decrypter tools.

There was also a reported increase in the ransomware’s distributors—acting as ‘affiliates’ under the ransomware-as-a-service business model—when the developers of the TeslaCrypt ransomware shut down their operations and released the master decrypt key for free.

[Read: CryptXXX and Cerber Ransomware Get Major Updates]

These “updates” illustrate the increasing maturity and sophistication of ransomware operations as cybercriminals, seeking new ways to profit from these attacks, adapt their strategies and adjust their attacks accordingly.

The ransomware Jigsaw (detected by Trend Micro as RANSOM_JIGSAW.A), for instance, initially used an image of Billy from the movie Saw as part of the ransom note when it was discovered in April. By the first week of May, it became CryptoHitman, using the titular character of the video game Hitman along with pornographic images, and appended encrypted files with extensions .porno and .pornoransom. By the end of May, it featured an image from Invisible Empire, an art exhibit by Juha Arvid Helminen, and added a .payransom! extension to the encrypted files. Jigsaw was notable in its aggressive tactics, such as periodically deleting files for every hour the ransom is not paid, in order to compel the victim into paying as soon as possible.

Kovter (identified by Trend Micro as TROJ_KOVTER.SM), which was uncovered in 2013, started as a simple screen locker but became a fileless click-fraud and phishing malware by 2014. As the ransomware business started gaining traction, its developers are now jumping on the bandwagon and turned Kovter into a full-fledged crypto-ransomware.

Cerber, DMA Locker, PETYA, Mischa and 7ev3n-Hone$t are just some of the other ransomware variants that have been given updates by their authors—from adding new components such as DDoS and C&C communication capabilities, expanding the malware’s distribution and strengthening the encryption algorithm to making the UI user-friendly and even giving discounts to victims.

Even ransomware variants thought to have already been neutralized can also resurface, like what happened to the Attorney’s Office of Pinal County in Arizona when 64,000 of its files were held hostage by the CryptoLocker ransomware.

As per the U.S.’ Homeland Security and Canada’s Cyber Incident Response Centre’s joint advisory, users and businesses are strongly urged to practice good security habits such as regularly maintaining data back-ups, keeping the operating system and applications up-to-date, avoiding unsolicited and unexpected emails, and employing reliable detection and security systems.