Ransomware Knocks Out Entire PC
Wednesday, May 11, 2016 @ 11:05 AM gHale
As ransomware continues its growth curve, one of the more recent variations, CryptXXX, just got an upgrade to not only getting around some decryption tools, it can also halt users from accessing their files.
CryptXXX first spotted in mid-April by security firm Proofpoint, worked just like any other crypto-ransomware where it would infect targets via malvertising, encrypt their files, and ask for a ransom.
Users had full access to their computers, except to the encrypted files. They could still use the “same computer” to go online, buy Bitcoin, and pay the ransom.
Things looked good for victims as security company, Kaspersky, released an update to their RannohDecryptor that included the ability to analyze and crack CryptXXX’s encryption.
This modification allowed CryptXXX victims to download Kaspersky’s decrypter and run it instead of going online and paying the ransom.
That didn’t last too long as almost two weeks after Kaspersky released its free decrypter, Proofpoint is reporting on the emergence of CryptXXX version 2 which includes updates that defeat the decrypter.
On top of that, users infected with CryptXXX 2 won’t even be able to go online anymore, because CryptXXX’s authors decided to lock the user’s entire screen altogether.
That means users will have to use another computer to go online to buy Bitcoin and pay the ransom.
As for its distribution, Proofpoint said the attackers are still using malvertising campaigns, malicious ads on legitimate websites, which redirect users to pages hosting the Angler exploit kit, that deliver the ransomware directly, or via an intermediary malware called Bedep.
“CryptXXX is being actively maintained: We have seen it evolve multiple times since our initial discovery, but the changes did not appear significant enough to be mentioned,” the Proofpoint team said in a blog post. “As expected, the number of actors spreading it has increased, making it one of the most commonly seen ransomware families. Globally, we have observed several primary threat actors transitioning from Teslacrypt/Locky to CryptXXX/Cerber in the driveby landscape in recent weeks.”