The most resent version of CryptXXX ransomware has gained about $60,478 in ransom payments since June 4, this year. The latest release also addresses previously exploited code flaws, which helps the victim avoid payment and restore their files by using free decryption tools.
This month, security experts from SentinelOne have been tracking a CryptXXX campaign, which leverages the most recent build from the Ransomware family.
The experts monitored the Bitcoin wallet used for ransom payments, which showed that a single campaign has generated more than 70 incoming transactions, totaling $60,478.73, based on the latest exchange rates.
Considering the fact that each payment was forwarded to a new wallet, it appears that most probably the developers of ransomware are using Bitcoin tumbler services to cover their tracks.
“While the consistent transaction amounts would suggest that all transactions to this address are for CryptXXX malware, it’s impossible to be certain. Also, multiple addresses may be used for this malware family. Since this address didn’t have any activity until 6/4/2016, it’s likely that one new address is being used per version or campaign,” Caleb Fenton from SentinelOne said.
Among the most important changes in the latest version of CryptXXX turns out to be the correction of a flaw which previously allowed decryption tools from Kaspersky and other security firms to restore a victim’s files without a ransom payment.
No one knows if there is a way to circumvent this change yet, as previous builds have also defeated decryption tools, but the security vendors just updated their software to compensate.
The updated version of CryptXXX examined by SentinelOne will allow the victim to decrypt one file free of charge, though they’re limited to a file that’s less than 512 KB.
“This is a good idea from a psychological standpoint since the malware authors know that people are more likely to pay for something if they know that it will work,” Fenton stated.
The most recent variant of CryptXXX is also encrypting files with the extension .crypt1; previous variants used .crypz and .crypt. Additionally, the shadow volume copies on the victim’s system are deleted, preventing a restore from backups.
Considering the metadata and domain details associated with the collected samples, Fenton speculates that the likely delivery method being used to spread the latest build of CryptXXX is though spam.
What is interesting here though, is the fact that while some of the registered domains in the latest campaign deal with finance and investments, others focus on anti-spam.
