CryptXXX is a trojan-ransomware variant that infiltrates, encrypts files then demands payment in return for the key to retrieve them. This malware was first reported around the beginning of April and has been identified as having similar characteristics to an earlier variant named Reveton ransomware (one being that they are both written in Delphi). Due to a flaw found in this ransomware, there is a decryption tool available (developed by Kaspersky Labs), though there are other aspects of this attack that make it vital for a user to get rid of CryptXXX at the earliest chance, if unlucky enough to become infected. Reveton went through many developments since emerging in 2014 and this is thought to be a variant from the same malware authors.
Ransomware is distributed in several ways. CryptXXX is currently using an exploit kit (EK) called Angler which detects and takes advantage of vulnerabilities in a browser, system or application. Other ways ransomware can effect are: disguised within a spam ‘mail attachment or macro; bundled with freeware; hiding in a freeware update (or disguised as such); via peer-to-peer file-sharing; introduced via a manual hack through a remote desktop, or by an infected external device.
Exploit kits attack users from an infected ‘site or server; either one set up by the hackers, or a legitimate domain that has been infiltrated. Once the EK have penetrated, they can then introduce a variety of malware as the hacker requires, and report back regularly. The payloads of this EK so far reported include a malware used for bank fraud called Dridex222, so while the ransomware encrypted files can be dealt with, it’s important to eradicate CryptXXX in case this dangerous trojan is preparing to follow.
The malware has a delayed start up of 60 minutes presumably to cover the location compromised website (landing page) that the EK is based on. This function was also employed in the Reveton ransomware. Another defence it employs is to to install a hook procedure to monitor mouse activity.
It creates files in the Start Up registry and contacts the command and control server on the TOR network before starting to encrypt files. Then it searches for any external devices and encrypts any files on these. It steals any Bitcoin from wallets on the computer as well as recording info such as browsing history details, file-shares, installed mail and instant messenger client data, using an information stealer component. After encryption is complete, files are left with the extension .crypt and a demand for Bitcoin to the value of $500 U.S is issued, along with payment details to be made via a TOR network transaction.
Malware tries to avoid detection until the file encryption is complete. Some AV software may not detect it, so it’s important to know manual symptoms to watch for. The visibility of some symptoms will depend on the system’s CPU power; they include: slowed Start Up time; slower program running with possible premature termination; screen-freezes; unauthorized port usage and internet connection. If any of the above are noticed, disconnect from all wireless, internet and network connections. Check files for changed extensions. If any .crypt extensions are found, follow the steps below to decrypt CryptXXX ransomware.
How to decrypt CryptXXX ransomware?
Please, follow these steps to successfully decrypt .crypt files:
Step 1: Download the free CryptXXX decrypter from here: http://media.kaspersky.com/utilities/VirusUtilities/EN/rannohdecryptor.zip
Step 2: Extract the RannohDecryptor.exe to your desktop and run it.
Step 3: Click “Change Parameters” to select which drives you want to add to the scan.
Step 4: Click “Start Scan“. Please, be aware that the scan may take long, so while it is running, do not turn off your PC!
Step 5: If the decrypter can not find the decryption key automatically, you need to provide one encrypted file and its original one. Then, it will calculate the decryption key and all other encrypted files will be decrypted without any issue.
Preventing CryptXXX
Prevention is easier than dealing with this or worse threats, though it is an on-going job. Look first at how this entered – via a vulnerability. A system must be kept patched and all applications kept up-to-date. Delete all old versions and any not regularly used. Browsers must be current and set to the highest privacy settings (how to harden browsers). A good firewall that covers ALL routes into the system is essential; this should be set to disallow any communication with the TOR and I2P networks. Set to disallow unauthorized port access.
Limiting file-path operation using Software Restriction Policies can prevent lots of malware from operating inside a system (see Windows website for details). Unsolicited e-mail should not be opened, and ActiveX function for Office formats should be disabled for extra safety (see more about malicious macros here). Care should be taken with freeware – never quick install, always scrutinize contents using Advanced or Custom option. Regular scanning with good software is recommended.
Ransomware (and malware in general) is continuously developing. Operating care and good, on-going organization of a system will keep out CryptXXX and its like. Failure to maintain the defence of these potential points of vulnerability can lead to much more trouble than the inconvenience of a little deletion and decryption…
