The cyber criminals behind CryptXXX ransomware have parried white hat attacks and released a new and as-yet-uncracked malware variant. The new version of malware is capable of encrypting network shares and steal account logins.
CryptXXX is currently the most widely-used ransomware, and the latest changes make it the most dangerous tool.
The modular malware menace uses StillerX to plunder account credentials from a host of software including Cisco VPNs, Microsoft Credential Manager, and other online poker platforms.
The browser data, which includes history, cookies, and stored credentials, is hoovered up together with email, instant messaging, and remote administration software logins.
The latest update of CryptXXX will definitely solidify the ransomware’s dominant position in the market.
“CryptXXX has become quite widespread, especially with a number of TeslaCrypt actors shifting operations to CryptXXX recently,” the Proofpoint experts state, adding that “… this new version of CryptXXX was capable of finding shared resources on the network, enumerating files in every shared directory, and encrypting them one by one.”
“The actors behind CryptXXX have continued to rapidly refine the ransomware with updates to encryption, scanning for network shares, cosmetic updates, and updates to lock screen behavior.”
Recently, Kaspersky Lab released a decryption tool to help the CryptXXX victims rescue their files for free. This happened thanks to the similarities between the malware and a cracked Rannoh ransomware.
Despite the fact that decryption efforts are a double-edge sword in that it liberates victims, it also allows determined VXers to release an updated variant that cannot be broken.
The credential-stealing module is new turf for ransomware scum, and it breaks the professional business model where those who pay are handed their keys and no longer compromised. In any case, it may be sufficient to persuade some ransomeware victims to not pay the ransom.