CryptXXX Updated to Outwit Decryptor Tool

A new tool designed to decrypt the infamous CryptXXX ransomware has been rendered useless by a new variant discovered in the wild, according to researchers.

Proofpoint explained in a new blog that the RannohDecryptor created by boffins at Kaspersky Lab to unlock files a couple of weeks ago will not work with version 2.006, which locks the victims screen and makes the computer completely unusable.

“We first thought that the new lock screen was a quick and dirty way to make it more difficult for the victim to use the Kaspersky decryption tool. But upon further inspection, we found that the authors discovered a way to bypass the latest version of the decryption tool,” Proofpoint explained.

“The files that alert the victim that they are infected were previously ‘de_crypt_readme’ with bmp, txt, and html extensions. These files are no longer used; instead the filenames are the unique ‘Personal ID’ from the infected.”

Changes have also been made to the payment page. Where the black hats behind the ransomware used to urge victims to buy the Cryptowall decryptor, now they refer to the ‘Google decryptor.’

This is “probably to make it more difficult for victims to identify what they are facing,” according to Proofpoint.

The researchers aren’t particularly confident about future attempts at decrypting CryptXXX either, claiming that the ransomware undergoes such rapid evolution that it will “continue to compete strongly in malware ecosystems.”

“As always, best practices for avoiding infection include patching systems and software, updating endpoint antimalware, deploying robust network protections, and regularly backing up all critical systems,” Proofpoint concluded.

Although Locky is currently the top ransomware family distributed via email, CryptXXX is rapidly gaining notoriety – and popularity among black hats working mainly with exploit kits.

Discovered only a short time ago, in mid-April, it’s commonly dropped by the Bedep trojan after an Angler EK infection in a drive-by scenario, or by Angler directly, said Proofpoint.

It’s also particularly greedy – not only asking for a larger-than-usual $500 fee to unlock files, but will also steal any bitcoins on a victim’s computer and copies any data that might be useful for the cyber-criminals behind it, according to Kasperksy Lab.

What’s Hot on Infosecurity Magazine?