CrypMIC: The Heir Of CryptXXX Ransomware

A rival of the vicious CryptXXX ransomware may be rising in the face of the newcomer CrypMIC. As known, CryptXXX spread by the infamous Neutrino Exploit Kit, steals users` data and keeps it hostage until a ransom is paid.

The so called CrypMIC was recently detected when, within a week, security researchers noticed that Neutrino constantly switched the malicious payload between it and CryptXXX. Moreover, Trend Micro security found a connection between the two ransomwares as the newbie operated in a very similar, not to say the same, way. Not only did it copy the way it arrives at its destination but also the ransom note and the payment site.

Another thing the two treat have in common is the use of the same format for sub- versionID/botID (U[6digits] / UXXXXXX]) and the same export function name (MS1, MS2). They also both employ a custom protocol via TCP Port 443 to communicate with their command and control (C&C) servers.

There are, however, a few differences including the source code and capabilities. CrypMIC does not put an extension in the end of the encrypted files and is obfuscated in a different way. What is more, as opposite to CryptXXX, the newcomer checks if there is a virtual machine on the infected system and sends this information to the C&C.

According to an analysis, CrypMIC`s target are 901 types of files, it uses AES-256 encryption and has neither an autostart nor a constant mechanism. The malware can even operate in a virtualized environment and this does not stop it from sending the information to its C&C. Moreover, it leverages vssadmin so it can delete shadow copies.

Trend Micro states that both ransomwares are equally dangerous, especially for business organizations because of their ability to encrypt files on removable and network drives. The amount of ransom they demand varies from 1.2 to 2.4 bitcoins. However, the newbie is not able to steal credentials from the infected system because it does not run an information-stealing module on its process, unlikely CryptXXX, which has become famous for it.

“Both CrypMIC and CryptXXX pose dangers to organizations and users as these threats steal and hold data hostage, and even pilfer credentials from various programs. Paying the ransom does not guarantee that end-users will get their files back. For instance, the decryptor created by CrypMIC’s developers has been reported to be not functioning properly,” Trend Micro reports.

Furthermore, analysts add that if you pay the ransom there is a possibility to expose yourself to more ransomware attacks. The best you can do is try to protect your machine and prevent the infection by keeping your systems up to date and fully patched, use backup data and multilayered defenses.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.