Will CryptXXX Replace TeslaCrypt After Ransomware Shakedown?
by Jaaziel Carlos, Anthony Melgarejo, Rhena Inocencio, and Joseph C. Chen
The departure of TeslaCrypt from the ransomware circle has gone and made waves in the cybercriminal world. Bad guys appear to be jumping ships in hopes of getting a chunk out of the share that was previously owned by TeslaCrypt. In line with this recent event, indicators are pointing to a new strong man in the ransomware game: CryptXXX.
CryptXXX (detected as RANSOM_WALTRIX.C) has been the recipient of recent updates; one of which took place after a free decryption tool surfaced that allowed victims to disregard the ransom. Not only does it encypt files, recent CryptXXX variants now have a lockscreen technique that prevents users from accessing their desktops.
CryptXXX is spread via compromised websites and malvertising hosting Angler exploit kits.
Figure 1. CryptXXX infection vector via Angler EK
Once a user visits the compromised site or clocks on a malicious ad, CryptXXX is dropped by variants of BEDEP malware. Once it arrives in a computer, it first checks if it’s running on a virtual environment. If it detects this, it terminates itself.
What makes CryptXXX difficult to stop is that it runs alongside a watchdog program. CryptXXX runs two simultaneous routines; one that encrypts, and the other to detect abnormal system behavior. When watchdog detects abnormal system behavior that halts the encryption process, it restarts the encryption routine. This results in a cycle of stopping the malware, and watchdog restarting the malware.
Figure 2. CryptXXX running simultaneous processes as svchost.exe
CryptXXX encrypts all files with the following extensions:
.3DM, .3DS, .3G2, .3GP, .7Z, .ACCDB, .AES, .AI, .AIF, .APK, .APP, .ARC, .ASC, .ASF, .ASM, .ASP, .ASPX, ASX, .AVI, .BMP, .BRD, .BZ2, .C, .CER, .CFG, .CFM, .CGI, .CGM, .CLASS, .CMD, .CPP, .CRT, .CS, .CSR, .CSS, .CSV, .CUE, .DB, .DBF, .DCH, .DCU, .DDS, .DIF, .DIP, .DJV, .DJVU, .DOC, .DOCB, .DOCM, .DOCX, .DOT, .DOTM, .DOTX, .DTD, .DWG, .DXF, .EML, .EPS, .FDB, .FLA, .FLV, .FRM, .GADGET, .GBK, .GBR, .GED, .GIF, .GPG, .GPX, .GZ, .H, .H, .HTM, .HTML, .HWP, .IBD, .IBOOKS, .IFF, .INDD, .JAR, .JAVA, .JKS, .JPG, .JS, .JSP, .KEY, .KML, .KMZ, .LAY, .LAY6, .LDF, .LUA, .M, .M3U, .M4A, .M4V, .MAX, .MDB, .MDF, .MFD, .MID, .MKV, .MML, .MOV, .MP3, .MP4, .MPA, .MPG, .MS11, .MSI, .MYD, .MYI, .NEF, .NOTE, .OBJ, .ODB, .ODG, .ODP, .ODS, .ODT, .OTG, .OTP, .OTS, .OTT, .P12, .PAGES, .PAQ, .PAS, .PCT, .PDB, .PDF, .PEM, .PHP, .PIF, .PL, .PLUGIN, .PNG, .POT, .POTM, .POTX, .PPAM, .PPS, .PPSM, .PPSX, .PPT, .PPTM, .PPTX, .PRF, .PRIV, .PRIVAT, .PS, PSD, .PSPIMAGE, .PY, .QCOW2, .RA, .RAR, .RAW, .RM, .RSS, .RTF, .SCH, .SDF, .SH, .SITX, .SLDX, .SLK, .SLN, .SQL, .SQLITE, .SQLITE, .SRT, .STC, .STD, .STI, .STW, .SVG, .SWF, .SXC, .SXD, .SXI, .SXM, .SXW, .TAR, .TBK, .TEX, .TGA, .TGZ, .THM, .TIF, .TIFF, .TLB, .TMP, .TXT, .UOP, .UOT, .VB, .VBS, .VCF, .VCXPRO, .VDI, .VMDK, .VMX, .VOB, .WAV, .WKS, .WMA, .WMV, .WPD, .WPS, .WSF, .XCODEPROJ, .XHTML, .XLC, .XLM, .XLR, .XLS, .XLSB, .XLSM, .XLSX, .XLT, .XLTM, .XLTX, .XLW, .XML, .YUV,.ZIP, .ZIPX
It also locks the screens of the user preventing access to any other tool. As previously mentioned, this seems like a reaction to the previous decrypter tool that spawned for its previous version of CryptXXX. Users could still access the pay site through the links provided in the ransom note.
Figure 3. CryptXXX ransom note
Another peculiar change that CryptXXX introduced is a long waiting period before doubling the ransom amount. While other ransomware families double their price in as little as 24 hours, CryptXXX gives the users 90+ hours to pay the ransom before it doubles. Unlike ransomware families that rush users into paying, like JIGSAW, CryptXXX gives users ample time to come up with the ransom money.
Figure 4. Payment link showing 90+ hours to pay US$500 before payment is doubled
With updated routines, and a friendlier ransom proposition, many cybercriminals are sure to flock over CryptXXX. We expect further updates to be made by the writers to make this ransomware a nightmare for users who do not have proper ransomware solutions.
Angler EK is perhaps one of the most notorious exploit kits that victimized hundreds of sites and countless malvertising attempts. Users should always regularly patch or update their programs, software, and applications with the latest versions to protect themselves against vulnerability abuses. Users should also follow the 3-2-1 rule in backing up files; create three backup copies in two different media, with one of the backups stored in a separate location.
Given that ransomware can also come in the form of spam mail attachments or links in spam messages, users should avoid opening unverified emails or clicking on embedded links.
Trend Micro says NO to ransomware. We strongly advise users not to pay ransom demands as it fuels cybercrime and promotes further propagation of ransomware. And while there is no silver bullet when it comes to ransomware threats like CryptXXX, a holistic, multi-layered approach for solutions–from the gateway, to the networks, down to the endpoints and servers–is needed to minimize the risks.
Different solutions are offered by Trend Micro to protect individual customers and networks. For organizations, they can block CryptXXX at the web gateway through InterScan Web Security. Endpoint solutions like Trend Micro™ Security, Trend Micro™ Smart Protection Suites, and Trend Micro Worry-Free™ Business Security, meanwhile, can protect users and organizations from this threat by detecting the malicious files and block all related malicious URLs. Systems with Trend Micro™ Smart Protection Suites are also protected from this threat via Trend Micro Endpoint Application Control.
- DF7E00A7DE1C584F0BF71BB583673A9CA4511AEF – Ransom_WALTRIX.C
- ADCE8CF4C31F1980C2B1D952A5A931D7C8DCDD8C – Ransom_WALTRIX.C
- B3CA5D55F0D38AC78A86A36323A8498854E3FA80 – Ransom_WALTRIX.C