CrypMIC Ransomware Wants to Follow CryptXXX’s Footsteps

By Kawabata Kohei

They say imitation is the sincerest form of flattery. Take the case of CrypMIC—detected by Trend Micro as RANSOM_CRYPMIC—a new ransomware family that mimics CryptXXX in terms of entry point, ransom notes and payment site UIs. CrypMIC’s perpetrators are possibly looking for a quick buck owing to the recent success of CryptXXX.

Figure 1. A side-by-side comparison of CrypMIC (left) and CryptXXX’s (right) ransom notes and user interfaces of their payment sites.

CrypMIC and CryptXXX share many similarities; both are spread by the Neutrino Exploit Kit and use the same format for sub-versionID/botID (U[6digits] / UXXXXXX]) and export function name (MS1, MS2). Both threats also employed a custom protocol via TCP Port 443 to communicate with their command-and-control (C&C) servers.

Upon closer look, CrypMIC and CryptXXX differ in source codes and capabilities. For instance, CrypMIC does not append an extension name to files it encrypts, making it trickier to determine which files have been held in ransom. They also differ in the use of compilers and obfuscation methods. CrypMIC has a VM check routine and sends that information to its C&C.

Here is a table of comparison that highlights their similarities and differences:

	CrypMIC	CryptXXX 4.001 / 5.001
Attack Vectors	Malvertising, compromised websites	Malvertising, compromised websites
Exploit Kit	Neutrino	Neutrino
File Name and Type	Randomly named DLL file (rad{randomhexcharacters}.tmp.dll when dropped by Neutrino)	Randomly named DLL file (rad{randomhexcharacters}.tmp.dll when dropped by Neutrino)
Encryption Algorithms	AES-256 (touted to be RSA 4096 in the ransom notes)	RSA and RC4 combination
Number of File Types Encrypted	901	933 (4.001 and 5.001)
Appended Extension Name	None	Replaces original file name to random hex characters: {32 hexadecimal characters}.{5 hexadecimal characters} e.g. 0412C29576C708CF0155E8DE242169B1.6B3FE
Scanned Drives for Encryption	D to Z, %USERPROFILE%, as well as removable and mapped network drives	B to Z as well as removable and network drives
Ransom Note Filename	README.TXT, README.HTML, README.BMP	!README.HTML !README.BMP
Autostart and Persistence Mechanisms	None	%User Startup%\{unique ID}.lnk, where {unique ID} contains 12 hexadecimal characters
Lockscreen Capability	No	Yes
Anti-Virtualization and VM Check Routine	CPUID-based; runs its encryption routine even in VM and sends the information to its C&C	No VM check routine
Ransom Amount	1.2 to 2.4 bitcoins (or US$792 to US$1,597 as of July 15, 2016)	1.2 to 2.4 bitcoins (or US$792 to US$1,597 as of July 15, 2016)
Payment Method	Bitcoins, Tor Network	Bitcoins, Tor Network
C&C Communication and Information Theft	Retrieves AES key and ransom notes from C&C; sends system information and result of encryption to C&C	Retrieves RSA public key, domain information of payment site and information-stealing module (fx100.dll); sends system information and result of encryption to C&C
Network Activity	TCP via Port 443	TCP via Port 443
Shadow Copies Deletion	vssadmin	No

Figure 2. Activity of Neutrino exploit kit distributing a new version of CryptXXX (5.001) to Japan on July 14th.

The demise of the Angler exploit kit from crypto-ransomware activity has made CryptXXX migrate to Neutrino exploit kit, which have been recently reported to be delivering other ransomware families such as CryptoWall, TeslaCrypt, CryptoLocker and Cerber.

We have observed that CrypMIC and CryptXXX were distributed by Neutrino interchangeably over the course of a week. CrypMIC was first pushed by Neutrino on July 6th before switching back to delivering CryptXXX 4.001 on July 8th. It started redistributing CrypMIC on July 12th before reverting to CryptXXX the next day. On the same week, Neutrino also distributed Cerber via malvertising, as well as other malware from other cybercriminal groups. By July 14th, Neutrino has started to distribute an apparently newer version of CryptXXX (5.001).

CryptXXX 5.001 is not a major version update, having only little changes such as the structure of information appended to encrypted files. Its encryption routine, number of targeted extensions and packet format among others is the same as 4.001.

Figure 3. Using malware analysis tool Cuckoo Sandbox, we found that CryptXXX 4.001, much like its previous version, was stealing credentials from various applications.

CrypMIC and CryptXXX can be particularly dangerous for enterprises as they can also encrypt files on removable and network drives. CrypMIC, however, can only encrypt network shares if they have already been mapped to a drive.

In contrast, CryptXXX automatically scans the machine for network drives then proceeds to encrypt files stored on them. CryptXXX 4.001 also downloads and executes an information-stealing module on its process memory—named fx100.dll and detected by Trend Micro as TSPY_STILLER.B—that harvests credentials and related information from:

Drive-mapping utility tools (FTP, WebDAV, HTTTP and SFTP clients)
Windows-based file managers
Distributed file system clients that manage remote files such as those from the cloud
Remote desktop tools (RDP, VNC servers)
VOIP and internet dialers
Video chat software
Web application frameworks (i.e. ASPNET)
VPN clients
Instant messaging clients (including those designed for businesses)
Download managers
Web browsers
Email clients
Online poker gaming software

Both CrypMIC and CryptXXX pose dangers to organizations and users as these threats steal and hold data hostage, and even pilfer credentials from various programs. Paying the ransom does not guarantee that end-users will get their files back. For instance, the decryptor created by CrypMIC’s developers has been reported to be not functioning properly. Additionally, paying the ransom only makes businesses and users susceptible to more ransomware attacks.

Besides regularly backing up files, keeping systems updated with the latest patches is another means of mitigating the risks of ransomware. A multilayered defense that can secure systems, servers and networks is also recommended.

Trend Micro Solutions

Enterprises can use Trend Micro solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan ™ Web Security to block ransomware at the exposure layer—web and email. Trend Micro’s Deep Discovery Inspector detects malicious traffic, communications, and other suspicious activities associated with attempts to inject ransomware into the network.

Trend Micro’s Deep Security™ can shield applications such as browsers from exploits—which both CrypMIC and CryptXXX rely on—that facilitate the injection of ransomware into systems. At the endpoint level, Trend Micro’s Smart Protection Suites detects and stops suspicious behavior and exploits associated with ransomware with its behavior monitoring, application control, vulnerability shielding and web security.

Trend Micro also provides security solutions for SMBs via Worry-Free™ Services Advanced’s cloud security, behavior monitoring and real-time web reputation for devices and emails. For home users, Trend Micro Security 10 provides robust protection against ransomware by blocking malicious websites, emails, and files associated with threats like CrypMIC and CryptXXX.

Related SHA1s:

C6415524E1C8EA3EAD8C33EFF8E55E990CA5579E – RANSOM_CRYPMIC.A
156FB73151D136FE601134C946C3D50168996217 – RANSOM_CRYPMIC.A
7B4A57BC9D96B79DE49462B9EA37D1B1F202C99C – RANSOM_WALTRIX.YUYALG (CryptXXX 4.001)
704901B890019351E1C9C984FFB32C7F5F4D3BA6 – RANSOM_WALTRIX.YUYALG (CryptXXX 4.001)
3F43B713CE057E1930E724488BB8E6433C44A4E6 – RANSOM_WALTRIX.YUFG (CryptXXX 5.001)
4E020D18863815AE6042D5B4B07080F0F9A6DB0D – RANSOM_WALTRIX.YUFG (CryptXXX 5.001)
A31D130B1BA2A74996C233B862A796B810DA26AC – TSPY_STILLER.B (fx100.dll)

With additional analysis from Joseph C. Chen and Jaaziel Carlos

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

CrypMIC Ransomware Wants to Follow CryptXXX’s Footsteps