Ransomware: New CryptXXX variant defeats Kaspersky decryption tool

The latest version of CryptXXX prevents Kaspersky's tool from working

New CryptXXX variant defeats decryption tool

Researchers at Proofpoint, who first discovered CryptXXX a few weeks ago, have detected a new variant running in the wild on Tuesday, which defeats the previously released decryption tool offered by Kaspersky.

In addition to encrypting files on the victim's computer and network shares, the CryptXXX family of Ransomware also acts like a data stealing Trojan, hijacking saved login credentials stored in the browser, email client, and IM application. If the victim has a Bitcoin wallet, CryptXXX will steal those too, and then immediately demand $500 Bitcoin to reverse the encryption.

In April, U.S. toy maker Maisto had their website infected with malicious JavaScript, which delivered unsuspecting visitors to a landing page managed by the Angler Exploit Kit, in order to deliver version 1.x of CryptXXX.

As it turns out, Kaspersky Lab managed to defeat the malware, and quickly added CryptXXX support to their Rannoh Decryptor tool. If successful, Kaspersky's efforts would help restore the victim's computer to a pre-infected state.

However, shortly after that tool became public, the authors of CryptXXX released a new version of the Ransomware, one that defeats Kaspersky's offering and applies some cosmetic enhancements.

In addition to countering Kaspersky's tool, version 2.006 of CryptXXX locks the screen and renders the infected system unusable.

"We first thought that the new lock screen was a quick and dirty way to make it more difficult for the victim to use the Kaspersky decryption tool [4]. But upon further inspection, we found that the authors discovered a way to bypass the latest version of the decryption tool," Proofpoint explained in a blog post.

Exactly how CryptXXX is defeating Kaspersky isn't clear, but Proofpoint speculates that it has something to do with how zlib 1.2.2 is being embedded.

Sunnyvale, California.-based security firm says that CryptXXX is rapidly emerging as one of the top ransomware families in the wild, especially among actors working primarily via exploit kits.

"With the introduction of version 2.006, CryptXXX authors have, for now, rendered the existing free decryption tool ineffective. While new decryption tools may emerge, CryptXXX's active development and rapid evolution suggest that this new ransomware will continue to compete strongly in malware ecosystems."

Update: Kaspersky wasted no time in releasing a fix that will once again decrypt systems infected by CryptXXX .

"...we don’t like to let criminals or trolls win, and are happy to announce that our team has updated our decryption tool to adapt to the second version of CryptXXX...

Insider: These ransomware situations can result in colossal outcomes
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies