CryptXXX Ransomware Updated, Encrypted Files No Longer Decryptable

One of the latest ransomware families discovered – CryptXXX, has just seen a major update. Now, despite the free decryption tool released by Kaspersky, the ransomware prevents users from accessing the files on their computers.

CryptXXX was discovered about a month ago by the security company Proofpoint. The ransomware used to work like any other crypto-ransomware on the market, which means that it would infect targets via malvertising, encrypt their files, and demand a ransom.

By now, PC users had full access to their virtual machines, excluding the encrypted files, and they could use the “same computer” to go online, buy Bitcoin, and pay the demanded ransom.

Just a week after the ransomware was first seen, Kaspersky released an update to their Rannoh Decryptor which included the ability to analyze and crack CryptXXX’s encryption, and things turned positive for all the CryptXXX victims.

The new modification allowed CryptXXX victims to download Kaspersky’s decrypter and run it instead of going online and paying the ransom. However, about two weeks after Kaspersky released its free decrypter, Proofpoint reported on the emergence of CryptXXX version 2 which includes updates which defeat the decrypter.

Besides, users infected with CryptXXX 2.0 won’t even be able to go online anymore, because CryptXXX’s authors have decided to lock the user’s entire screen altogether. That means that users will have to use another PC to go online, buy Bitcoin, and pay the demanded ransom.

Otherwise, according to Proofpoint, the creators of CryptXXX still prefer malvertising campaigns and malicious ads on legitimate websites, which redirected users to pages hosting the Angler exploit kit, delivering the ransomware directly, or via an intermediary malware called Bedep.

CryptXXX is being actively maintained: we have seen it evolve multiple times since our initial discovery, but the changes did not appear significant enough to be mentioned,” the team of Proofpoint said.

As expected, the number of actors spreading it has increased, making it one of the most commonly seen ransomware families. Globally, we have observed several primary threat actors transitioning from Teslacrypt/Locky to CryptXXX/Cerber in the driveby landscape in recent weeks.”

Having in mind the fact that CryptXXX uses malvertising on a regular basis, today may be the right time to install an ad blocker in your web browser.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.