Ransomware Update: UltraCrypter Not Giving Decrypt Keys After Payment, Jigsaw Changes UI Again

CryptXXX ransomware is under the spotlight again following news that the decryption services on its payment website was not working properly. The Jigsaw ransomware (detected by Trend Micro as RANSOM_JIGSAW.A), well-known for periodically changing the image used for the ransom note, has again updated the infected system’s user interface (UI). Both ransomware have also been reported to be offering a ‘Help Desk’ and chat support to its victims.

CryptXXX (detected as RANSOM_WALTRIX.C) ransomware, which was earlier reported to have been rebranded as UltraCrypter—recently underwent several major updates since its discovery in April. After two of its earlier versions were cracked by security experts, the ransomware’s developers updated it to CryptXXX 3.0, which implemented a stronger encryption algorithm to render free and publicly available decryption tools ineffective. It also made several design changes to the victim’s UI, ransom note, and payment website, as well as renaming its decryption tool to “UltraDecrypter.” Encrypted files are appended with a .crypt1 extension.

CryptXXX 3.1, the latest iteration, gave the malware the capability to scan shared resources on the network and encrypt files stored on those drives. To maximize their profit, the developers also added an information-stealing DLL malware (StillerX), collecting and pilfering the victim’s browser history, cookies, and credentials from email, FTP, IM, VPNs and proxies, remote administration software, poker gaming software, and Microsoft Credential Manager.

The malware’s authors seem to have hit another snag after its payment system was found to be faulty. According to reports,the system  was not properly recognizing payments made by victims, leaving them unable to download the “UltraDeCrypter” tool needed to unlock their kidnapped files.

To make matters worse, the timer, typically set to 90 hours, still keeps running and the ransom amount automatically gets doubled when it expires. In a sample provided by BleepingComputer.com’s Lawrence Abrams, a payment of 1.2 bitcoins—which was the original ransom amount demanded from a recent victim—showed up as completed in the UI, but is instead now asking for 2.4 bitcoins.

Abrams remarked, “probably because this group continues to have problems with their system, they have added a Helpdesk tab to the UltraDeCrypter payment site. This tab contains a form that a victim can use to contact the payment server operators in the event of a problem.”

[Infographic: Ransomware 101: How Users can Get Infected]

Bugs and flaws in ransomware operations themselves are not new. BadBlock, for instance, encrypted not only the user’s personal files, but also Window system files needed to start the computer. Left with unusable machines, victims couldn't see the ransom note, and have no other recourse to get their data back aside from back-ups, if there were any at all.

The earlier versions of the DMA Locker ransomware (detected by Trend Micro as RANSOM_MADLOCKER.B), too, has been known to crash during its encryption process. Before the ransom can even be sent, affected users end up with inoperable devices and corrupted files.

Security researchers and analysts were also able to exploit a flaw in the programming of PETYA ransomware (detected by Trend Micro as RANSOM_PETYA.A) that allowed them to create a tool that generates a key which can unlock the computer’s encrypted hard drive.

[Read: BlackShades Ransomware Accepts Payments via Paypal, Taunts Security Researchers]

Meanwhile, security researcher Michael Gillespie from MalwareHunterTeam has uncovered a new variant of Jigsaw (detected by Trend Micro as Ransom_JIGSAW.H), which appends a .payms extension to the encrypted files. The malware demands a ransom payment of $150 worth of bitcoins in order to get the locked data decrypted; the ransom increases to $225 after 24 hours.

Unlike other variants of Jigsaw that makes use of provocative images as part of the ransom note, the latest iteration uses a simple image containing a ‘Ransom ID,’ English and Spanish-translated instructions on how to pay the ransom via bitcoins, and an alert that warns infected users, “if you try to tamper with this program all your files will be deleted.” Victims who may need ‘help’ are offered to visit its chat web page.

Reported by security firm Forcepoint to be sold as a toolkit in the deep web for $139, Jigsaw is seeing many of its variants being released by distributors, who then configure the malware’s source code to suit their needs. Forcepoint’s Andy Settle noted, “The seller is kind enough to provide a guide to building and deploying the malware which is of course available online.”

[Read: Goliath ransomware up for sale on dark web]

As per the FBI’s advice, there is no guarantee that paying the ransom will lead to getting a decrypt key for the hostaged files, like what happened to Kansas Heart Hospital when they were extorted twice. Even the latest version of DMA Locker’s offer to decrypt a file for free—most likely to lure victims into paying—was reported to be not working even after successfully uploading a file.

The Homeland Security and Canada’s Cyber Incident Response Centre, in a joint advisory, added, “Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed."