CryptXXX Ransomware’s Current Version Stops Free Decryption Tools’ Usage

Security researchers have found one fresh version of CryptXXX a ransomware that's familiar. The sample contains certain fresh capabilities, especially one which doesn't allow non-chargeable decryption tools to be used.

While in comparison with the CryptoLocker or TeslaCrypt strains, the CryptXXX group of ransom software mayn't be as familiar, still there's some success that it has had. The latest strain, which SentinelOne researchers found, by now has yielded over $50,000 to attackers as well as resolved one glitch related to its encryption system which let intermediate decryption codes run effectively on contaminated systems.

People across the globe encountered CryptXXX during mid-April 2016 first, nevertheless just following one week, Kaspersky managed in developing one decrypter for the malware's first edition with which end-users could retrieve locked files without paying a ransom.

Cyber-criminals responded to the situation via making their ransomware up-to-date; however, Kaspersky researchers too kept on updating the decryption code they created. But the CryptXXX version just found has enabled reaching the last stage of the cat-and-mouse game by cracking the latest version of the decrypter again while failing decryption tools from unlocking CryptXXX. Softpedia.com posted this, June 28, 2016.

The latest CryptXXX has attained success because for one the ransomware's operators carried out the encryption process correctly so that end-users found it really hard for decrypting without help. Earlier CryptXXX editions locked people's files labeling their extensions as either .crypt or .crypz. But CryptXXX's latest version labels encrypted files as .crypt1. According to Fenton, CryptXXX attackers using crypt/crypz to label encrypted file extensions were actually utilizing one faulty implementation of file encryption which let files to get unlocked devoid of any ransom payment. With crypt1, the case has been otherwise.

Besides, there's deletion of shadow volume replicas from victimized users' computers, thus not letting any restoration of files aided from backups.

Fenton conjectures that the most recent CryptXXX is being spread through spam. This has been done on the basis of the domain and metadata particulars related to the samples gathered. Strangely, whilst within the most recent attack, a few of the domain-names relate to investments and finance, the remaining deal with anti-spam.

» SPAMfighter News - 7/1/2016