Two new variants of ransomware just got updated by their authors. CryptXXX, which was first discovered in April, has been given a new encryption algorithm to thwart existing decryptor tools. Research from Invincea also reported that the Cerber ransomware has gotten more dangerous after an update gave it a denial-of-service (DDoS) component.
Like its previous versions, CryptXXX 3.0 modifies the computer’s registry keys and replaces them with its own, enabling the malware to take control of the system, redirect the computer’s internet connection, launch pop up ads, and even collect sensitive information and send it to its command and control server (C&C).
Besides spreading through spam email attachments and malicious websites, CryptXXX is also distributed by the Angler exploit kit—a tool used to scan and exploit security vulnerabilities on popular software such as Adobe Reader, Java, Silverlight and Adobe Flash Player. It’s been reported to be the most used exploit tool in 2015, and has been linked to massive malvertising campaigns and has been known to drop ransomware such as 7ev3n and TeslaCrypt, point-of-sale (PoS) malware, and bank trojans.
Upon infection, CryptXXX scans all of the computer’s local, removable and mapped drives, encrypts the files stored in them, and then append a .crypt extension to them, making the files inaccessible to their owner. After encryption, it will lock the screen and change the wallpaper to an image serving as a ransom note that instructs the victim to pay in order to have the decryptor key needed to unlock the affected files. The user is also told to use the anonymizing Tor browser to pay the ransom in Bitcoin, with amounts ranging from $500 to $2,100.
CryptXXX’s first and second versions were counteracted by security experts when decryptortools were made available, giving victims the ability to disregard the ransom and decrypt the hostaged files themselves. CryptXXX 3.0 is the malware authors’ latest response, implementing a new encryption algorithm to render existing decryptor tools ineffective.
Cerber (detected by Trend Micro as RANSOM_CERBER.A) infects systems as a file dropped by another malware or downloaded by users visiting compromised websites. It is typically distributed through malicious ads using the Nuclear exploit kit, noted to be the second most commonly used toolkit in 2015. Nuclear is known for attacking unpatched software such as Java, Acrobat Reader, Adobe Flash Player and Apple Quicktime.
The ransomware encrypts and renders the user’s files inaccessible, after which the user is instructed to pay a ransom ranging from 1.24 to 2.48 bitcoins ($557-$1,114 as of May 24, 2016). It was notable in its use of a computer-generated voice instead of displaying the ransom note as a wallpaper image.
Just last week, Cerber was discovered to be using Windows Script Files (WSF) through double zipped files serving as spam email attachments. The unusual use of WSFs allowed it to bypass the spam filters of email clients and some security software, with the malicious files masquerading as legitimate invoice and billing documents.
The developers of Cerber raised the stakes with its latest iteration by adding a denial-of-service (DDoS) component to the malware. Instead of merely encrypting files and locking the computer, the new Cerber variant also adds the infected computer to botnets used to stage DDos attacks.
Reported by researchers from Invincea, this variant of Cerber uses weaponized Microsoft Word documents via a malicious Visual Basic script that executes and delivers the malware. Upon infection, the victim's system is rendered inaccessible and at the same time being used to deny service to other victims. Invincea's Ikenna Dike further explained, “The observed malware seems to serve multiple purposes. First, it is a typical ransomware binary that encrypts the user’s file system and files while displaying a ransom note. Second, the binary could also be used to carry out a DDoS attack. The observed network traffic looks to be flooding the subnet with UDP packets over port 6892. By spoofing the source address, the host could direct all response traffic from the subnet to a targeted host, causing the host to be unresponsive.”
Another kind of ransomware named Takahiro Locker (identified by Trend Micro as RANSOM_TAKALOCKER.A) has been reportedly found in the wild. Although there are no indications that this variant targets a specific market or audience, the ransom note is written in Japanese. After infection, the victim is greeted by the malware’s pop-up message, “Warning Running Kill Me!”, after which the victim is directed to a “Help Form” that provides links and information on how to transfer the payment. Similar to CryptXXX and Cerber, Takahiro Locker infects a system through malicious email attachments and URLs and encrypts media files (image, music, video), archives (7-Zip and RAR), PDFs and torrent files among others. Interestingly, the ransomware avoids encrypting files from the directories of Origin and Steam, both related to gaming, as well as those found in the Recycle Bin and Program Files.
As per FBI’s advisory, there is no guarantee that affected users and businesses will be able to get their data back even after paying the ransom. For instance, latest reports from recently infected users said that CryptXXX 3.0's decrypt key, which is given to the victim upon payment, only gives an error message when trying to get the files unlocked and decrypted.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).