Updated release fixes previous code flaws, preventing the use of decryption tools Credit: Thinkstock The latest variant of CryptXXX Ransomware has generated $60,478 in ransom payments since June 4, based on current exchange rates. The newest release also addresses previously exploited code flaws, which helps the victim avoid payment and restore their files by using free decryption tools.Researchers from SentinelOne have been tracking a CryptXXX campaign this month, which leverages the latest build from the Ransomware family.As part of their efforts, they monitored the Bitcoin wallet used for ransom payments, which shows that a single campaign has generated more than 70 incoming transactions, totaling $60,478.73 based on the latest exchange rates.Given that each payment was forwarded to a new wallet, it’s likely the ransomware authors are using Bitcoin tumbler services to cover their tracks. “While the consistent transaction amounts would suggest that all transactions to this address are for CryptXXX malware, it’s impossible to be certain. Also, multiple addresses may be used for this malware family. Since this address didn’t have any activity until 6/4/2016, it’s likely that one new address is being used per version or campaign,” SentinelOne’s Caleb Fenton explained in a recent blog post.Note: At the time this story was written, 1 BTC = $654.12 USD. Financials quoted were valid as of June 27. One of the key changes in this updated version of CryptXXX is the correction of a flaw that previously allowed decryption tools from Kaspersky and other security firms to restore a victim’s files without a ransom payment.It isn’t clear if there is a way to circumvent this change, as previous builds have also defeated decryption tools, but the security vendors just updated their software to compensate.The CryptXXX variant examined by SentinelOne will allow the victim to decrypt one file free of charge, but they’re limited to a file that’s less than 512 KB.“This is a good idea from a psychological standpoint since the malware authors know that people are more likely to pay for something if they know that it will work,” Fenton wrote.The latest variant is also encrypting files with the extension .crypt1; previous variants used .crypz and .crypt. Moreover, shadow volume copies on the victim’s system are deleted, preventing a restore from backups.Based on the metadata and domain details associated with the collected samples, Fenton speculates that the likely delivery method being used to spread the latest build of CryptXXX is though spam. Oddly, while some of the registered domains in the latest campaign deal with finance and investments, others focus on anti-spam. Additional technical details, including hashes and IP records, are available on the SentinelOne blog. Related content news Gwinnett Medical Center investigating possible data breach After being contacted by Salted Hash, Gwinnett Medical Center has confirmed they're investigating a security incident By Steve Ragan Oct 02, 2018 6 mins Regulation Data Breach Hacking news Facebook: 30 million accounts impacted by security flaw (updated) In a blog post, Facebook’s VP of product management Guy Rosen said the attackers exploited a flaw in the website's 'View As' function By Steve Ragan Sep 28, 2018 4 mins Data Breach Security news Scammers pose as CNN's Wolf Blitzer, target security professionals Did they really think this would work? By Steve Ragan Sep 04, 2018 2 mins Phishing Social Engineering Security news Congress pushes MITRE to fix CVE program, suggests regular reviews and stable funding After a year of investigation into the Common Vulnerabilities and Exposures (CVE) program, the Energy and Commerce Committee has some suggestions as to how it can be improved By Steve Ragan Aug 27, 2018 3 mins Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe