The latest variant of CryptXXX Ransomware has generated $60,478 in ransom payments since June 4, based on current exchange rates. The newest release also addresses previously exploited code flaws, which helps the victim avoid payment and restore their files by using free decryption tools.
Researchers from SentinelOne have been tracking a CryptXXX campaign this month, which leverages the latest build from the Ransomware family.
As part of their efforts, they monitored the Bitcoin wallet used for ransom payments, which shows that a single campaign has generated more than 70 incoming transactions, totaling $60,478.73 based on the latest exchange rates.
Given that each payment was forwarded to a new wallet, it's likely the ransomware authors are using Bitcoin tumbler services to cover their tracks.
"While the consistent transaction amounts would suggest that all transactions to this address are for CryptXXX malware, it's impossible to be certain. Also, multiple addresses may be used for this malware family. Since this address didn't have any activity until 6/4/2016, it's likely that one new address is being used per version or campaign," SentinelOne's Caleb Fenton explained in a recent blog post.
Note: At the time this story was written, 1 BTC = $654.12 USD. Financials quoted were valid as of June 27.
One of the key changes in this updated version of CryptXXX is the correction of a flaw that previously allowed decryption tools from Kaspersky and other security firms to restore a victim's files without a ransom payment.
It isn't clear if there is a way to circumvent this change, as previous builds have also defeated decryption tools, but the security vendors just updated their software to compensate.
The CryptXXX variant examined by SentinelOne will allow the victim to decrypt one file free of charge, but they're limited to a file that's less than 512 KB.
"This is a good idea from a psychological standpoint since the malware authors know that people are more likely to pay for something if they know that it will work," Fenton wrote.
The latest variant is also encrypting files with the extension
.crypt1; previous variants used
.crypt. Moreover, shadow volume copies on the victim's system are deleted, preventing a restore from backups.
Based on the metadata and domain details associated with the collected samples, Fenton speculates that the likely delivery method being used to spread the latest build of CryptXXX is though spam. Oddly, while some of the registered domains in the latest campaign deal with finance and investments, others focus on anti-spam.
Additional technical details, including hashes and IP records, are available on the SentinelOne blog.