Well – what headlines: TeslaCrypt retires and publishes a master decryption key, while tech and security specialists believe that the same team are now pushing the new, improved CryptXXX, v3.0. One location this malware was infecting was on a compromised site selling kid’s toys (this location is currently down for maintenance as would be expected).
This choice of product change by the criminals is the observation of Trend Micro. The hackers even went to the length to publish an apology, ‘we are sorry!’ on the former malware page. The technicians monitoring this activity have linked the previous spread and distribution of TeslaCrypt with CryptXXX – though the specific technical details to suggest this link have not been revealed by the company.
It is not clear why TeslaCrypt shut-up-shop; the earlier versions dating from v2.00 which emerged last year were cracked… but not v4.0 which was released shortly before the malware was pulled. Last year, it is thought to have accounted for 39% of all U.S infections, netting many thousands of dollars. Increasingly, TeslaCrypt and other ransomware could be seen to target business and commercial organizations. On the other hand, CryptXXX has just appeared to have developed an decryption problem – due to a flaw, even if the victim pays, there is no key available at the moment. This doesn’t make good business sense.
The CryptXXX threat
Trend Micro’s Jon Clay outlined his concerns about the recent updates of the ransomware and its distribution using exploit kits: “This is a departure from the traditional email-based infection vector which is more targeted… CryptXXX also uses anti-sandbox code as well as running a watchdog process to protect itself from being detected and terminated“. Apart from the defensive measures, CryptXXX also allows the victim more time to make the ransom payment before the price increases, perhaps as a marketing strategy to maximize revenue (90 hours rather than the customary 24).
The product of Reveton ransomware?
The security firm Proofpoint have connected the coding contained in CryptXXX with the prototype ransomware Reveton, and believe it is the ongoing work of the same cyber-gang. One thing is for sure, this threat is building and is sure to make more headlines and claim further victims. As yet there is no decryptor for CryptXXX so it is important for the user to ensure everything in their system is current and robust, and to delete any unused plugins that may be a vulnerability. And last but not least – make regular backups to an external device.
