CryptXXX updated to version 3.0, Decryptors no longer Work

[Batu69]

On May 21st, the developers behind the CryptXXX ransomware updated their code to version 3.0 in order to stop Kaspersky's RannohDecryptor from decrypting files for free. Unfortunately, it appears that this update has also had the unintended consequence of breaking the malware developers decryptor. 

 

Since CryptXXX has been released, it has been plagued with bugs and weaknesses that has allowed Kaspersky to decrypt victim's files for free. Now that the malware devs updated to version 3.0 in order to stop Kaspersky, based on multiple reports of  people who paid the ransom, it also looks like the malware developers broke their own decryptor.

Decryption Error

For those who are affected by CryptXXX 3.0, it is advised that you do not pay the ransom as there is a good chance that you will not receive a working decryptor. You should wait instead to see if Kaspersky is able to update their decryption program to bypass CryptXXX's encryption algorithm. 

 

For those who wish to discuss this ransomware or receive support, they can register a free account and visit this forum topic:  CryptXXX Support & Help Topic. You can also consult the CryptXXX Ransomware Help, Information Guide, and FAQ.

Update 5/25/16: 

The malware developer's ears must have been ringing, because they release a new decryptor for the 3.x version of CryptXXX. A visitor (or insider), posted a comment in this article stating that the "hackers updated the decryption application".

 

 

When I downloaded the current decryptor from the CryptXXX payment site, it was indeed updated and now reflects that it is for the CryptXXX 3.x version as shown below.

 

CryptXXX 3.x Decryptor

On testing, this version of the decryptor does indeed decrypt files for those that paid the ransom.

 

Article source

 

[Petrovic]

Notorious ransomware family CryptXXX has morphed yet again to defeat decryption tools with a newly discovered variant: version 3.100, according to Proofpoint.

The security vendor claimed in a new blog post that CryptXXX 3.100 features new Server Message Block (SMB) functionality to scan for shared Windows drives on the corporate network before encrypting them one by one.

 

This renders the current CryptXXX decryption tool from Kaspersky Lab useless, and organizations should not count on another one being made available any time soon, Proofpoint argued.

 

“Even when possible, decrypting individual files is time-consuming and scales poorly, especially as CryptXXX begins encrypting many more files across network shares,” the firm said. “Similarly … the information stealing capabilities built into CryptXXX render organizations vulnerable even if they can recover critical files.”

 

These info stealing capabilities come in the form of StillerX – a credential stealing DLL which works as a plugin or standalone stealer.

 

It has been designed to target a wide range of potentially monetizeable information on a victim’s machine, including browser data, email/IM/VPN credentials, and even poker software log-ins.

 

CryptXXX 3.100 also features a simplified lock screen and a new more user-friendly payment portal hosted on an onion site.

 

Proofpoint claimed the ransomware family has become fairly widespread of late, even attracting black hats from TeslaCrypt.

 

“Because CryptXXX also includes robust information-stealing capabilities, multi-layered network and endpoint protection are also critical to prevent data exfiltration in case of infection,” the vendor concluded.

 

“CryptXXX updates have appeared very quickly over the last month and, without an available decryption tool, users and organizations must focus on detection and prevention.”

The scale of the ransomware problem is still difficult to gauge as many don’t report infections, but some reports suggest the FBI has estimated over $200m in losses in Q1 alone – way more than the $24m figure ascribed to 2015.

 

In addition, DNS firm Infoblox claimed this week that it had observed a 35-fold increase in new ransomware domains in Q1 compared to the final three months of 2015.

Article Source

[Batu69]

Thread has been merged.