Since the beginning of June the creators of CryptXXX ransomware have changed their ransom note and Tor payment website twice. However, what more important to those developing detection signatures and administrators is that the latest update no longer makes changes to the file extensions of the encrypted files.
“To make it more difficult for administrators, this release no longer uses special extensions for encrypted files,” the researcher Lawrence Abrams said. “Now an encrypted file will retain the same filename that it had before it was encrypted.”
Together with SANS Internet Storm Center handler Brad Duncan, Abrams found the latest update to CryptXXX, in particular to post-infection activity. Duncan found the changes on a Windows machine compromised by the Neutrino Exploit Kit involved in the pseudo-Darkleech campaign.
For instance, the new payment instructions, point to a new .onion website on the Tor network, and the payment website is called Microsoft Decryptor. On June 1, the previous update was leading to a website called Ultra Decryptor.
“This version does not include a method of contacting the ransomware devs if a victim has payment problems,” Abrams said.
Meanwhile, Duncan, posted an analysis of traffic from the Neutrino Exploit Kit involved in a recent infection coming from 198(.)71(.)54(.)211. He said the traffic made use of domain shadowing used in other Neutrino EK campaigns, as well as Angler, which has been off the radar since for a couple of months following the arrests of Russian hackers behind the Lurk malware.
“Post-infection traffic was over 91(.)220(.)131(.)147 on TCP port 443 using custom encoding, a method CryptXXX has used since it first appeared earlier this year,” Duncan explained, adding that text and HTML versions of the decryption instructions are downloaded in plaintext during post-infection traffic. Abrams said the ransom notes in the updated version of CryptXXX are called README.html, README.bmp, and README.txt.
Currently, CryptXXX Ransomware is one of the most dangerous infections. At the beginning of June, it signaled the downfall of the Angler Exploit Kit and the security experts noted that it had switched distribution channels to Neutrino. By now, the malware has already undergone numerous updates to its encryption capabilities, as well as its ability to encrypt local and attached storage, backups and steal credentials.
There were numerous spam campaigns that have been spreading CryptXXX, most notably of late pseudo-Darkleech, which has spread a number of ransomware families since it appeared in March, last year.
Last week, pseudo-Darkleech made a change to its script, eliminating large blocks of numbers, up to 15,000 characters, which helped obfuscate code. The chunk of characters also made these campaigns easier to spot for researchers and detection software.
According to Duncan, last Friday the code had suddenly disappeared and that the start of the injected code in the script had changed dramatically. Presently, the hackers are using an iframe-based attack with very little obfuscation, throwing off signature-based detection systems.