CryptXXX ransomware is in the spotlight again after the news that the decryption services on its payment website was not working properly. At the same time, Jigsaw ransomware, which is known for periodically changing the image used for the ransom note, has again updated the infected system’s user interface (UI). In addition, both ransomware started offering a ‘Help Desk’ and chat support to its victims.
CryptXXX ransomware, which has been rebranded as UltraCrypter recently, underwent several major updates since its appearance in April, this year. Despite the fact that two of its previous versions were cracked by security experts, the ransomware’s developers updated it to CryptXXX 3.0, which implemented a stronger encryption algorithm to render free and publicly available decryption tools ineffective. Additionally, they made several design changes to the victim’s UI, ransom note, and payment website, as well as renaming its decryption tool to “UltraDecrypter.” Encrypted files are appended with a .crypt1 extension.
The latest iteration of the malware is CryptXXX 3.1 and it is capable of scanning shared resources on the network and encrypting files stored on these drives. In order to maximize their profit, the malware creators have added an information-stealing DLL malware (StillerX), collecting and pilfering the victim’s browser history, cookies, and credentials from email, FTP, IM, VPNs and proxies, remote administration software, poker gaming software, and Microsoft Credential Manager.
It looks like the malware creators have hit another snag after its payment system was found to be faulty. The security reports show that the system was not properly recognizing payments made by victims, leaving them unable to download the “UltraDeCrypter” tool needed to unlock their kidnapped files.
To get things worse, the timer, normally set to 90 hours, still keeps running and the ransom amount automatically gets doubled when it expires. In a sample provided by the security expert Lawrence Abrams, a payment of 1.2 bitcoins, which was the original ransom amount demanded from a recent victim, showed up as completed in the UI, but is instead now asking for 2.4 bitcoins.
As Abrams noted, “probably because this group continues to have problems with their system, they have added a Helpdesk tab to the UltraDeCrypter payment site. This tab contains a form that a victim can use to contact the payment server operators in the event of a problem.”
