An improved version of CryptXXX ransomware has raked in over $45,000 in three weeks after fixing a crypto flaw that allowed victims to recover their data for free. Over the last few months a cat-and-mouse game has ensued with CryptXXX developers and security researchers with…
An improved version of CryptXXX ransomware has raked in over $45,000 in three weeks after fixing a crypto flaw that allowed victims to recover their data for free.
Over the last few months a cat-and-mouse game has ensued with CryptXXX developers and security researchers with the researchers sourcing out ways for victims to reclaim back their data without paying the ransom.
Despite the fact that researchers from Kaspersky Lab had provided a free tool to victims to decrypt their data that would normally cost them more than $500, it wasn’t long before the developers at CryptXXX were able to defeat the decryptor after tweaking their code.
This cat-and-mouse game has continued between the two parties; however, now, it seems as though CryptXXX remain with the upper hand after the developers released a new CryptXXX variant, earlier this month, that has no decryptor available.
A blog post by security firm SentinelOne states that between June 4 and June 21, the new CryptXXX family of ransomware had received 70 bitcoins, worth around $45,228.
In the blog post, SentinelOne said:
With this kind of success, it’s likely we’ll continue to see this family and other ransomware families continue to grow and evolve. Some factors which may contribute to this are the increasing reliance on computers to store and process valuable information and the increasing popularity of Bitcoin which is semi-anonymous, works globally, and is difficult to regulate because it’s completely decentralized.
Even though the current variant permits victims to decrypt a single file to 512 KB, the main change with the new ransomware means that to decrypt a victim’s files is not easily done, which is why the decryptor tools by Kaspersky failed to work.
Additionally, changes include the extension .crypt1 being added to all encrypted files instead of .cryptz and .crypt, which were previously used, and the deletion of shadow volume copies on the victim’s system, which essentially prevents any data from being restored from backups.
Interestingly, funds that are being monitored regularly are also being transferred into a new, unique address, suggesting that the CryptXXX operators may be using a Bitcoin tumbler to mask where the coins are going.
However, while the ransomware is likely to be spreading through spam, SentinelOne, believe that the attackers may be relying on other distribution methods too.
Image from Flickr. Image courtesy of Christiaan Colen.
Last modified: January 25, 2020 11:47 PM UTC