Is UltraCrypter a remarketing of CryptXXX?
In May, TeslaCrypt unexpectedly closed for business, publishing a decryption key (and an apology!). Analysts then detected that the same networks which had been used to distribute this now withdrawn ransomware since last February were now being used to push another model – CryptXXX (which was first discovered by Proofpoint researchers in February).
This could have been because the developers had hired the distribution networks for a limited time, or perhaps they were tired of the great work that certain researchers did to continuously decrypt their ransomware versions, and decided to market a new product. Whatever the reason, there is a new parasite in the electronic wilderness – UltraCrypter.
At present, this ransomware seems to act like its predecessors – it infects a system, encrypts user files and demands a ransom to be paid for the decryption key. It’s not known presently how UltraCrypter is being spread, so a user should read-up on ransomware generally. The current trend for malware distribution is via spam or phishing ‘mail, so do not open anything that you are not expecting.
CryptXXX was visually generic of CryptoWall, as are most ransomware specimens. The technical research does point to this being a CryptXXX variant. The differences with UltraCrypter are a change in the TOR payment ‘site, and cosmetic design. The name UltraCrypter has been given to the malware based on the name of the TOR website that victims are directed to, called UltraDeCrypter.
As technical information becomes available, we’ll update here. Watch this space (but first backup your files!)