As if denying a user’s access to their files and asking for a $500 ransom to restore access wasn’t bad enough, the authors of a new piece of ransomware called CryptXXX decided to also pack their malware with information stealing capabilities.
The new malicious application is closely tied to the Angler exploit kit (EK) and to the Bedep botnet, and Proofpoint security researchers say it's the offspring of the same cybercriminal group behind the Reveton ransomware operations. Active two years ago, Reveton also engaged in data stealing activities after receiving an update in August 2014.
Distributed by the Angler EK, CryptXXX was observed in a campaign last week, when the crimekit was loading Bedep to also distribute Dridex 222. Similar to other malware in the segment, the new ransomware encrypts user’s files and displays a ransom note on the compromised computer, while also directing users to a payment site that features multi-language support.
Proofpoint researchers observed the new ransomware being shipped as a DLL dropped by Bedep in specific folders in four different infections. The start of the DLL is delayed by a given period of time to make it difficult for the victim to associate it with the infection vector, and the ransomware features anti-virtual machine and anti-analysis functions.
When executed, CryptXXX encrypts user’s files and adds the .crypt extension to the filename, and does the same on all mounted drives. Furthermore, it steals Bitcoins from the infected machine, as well as user data.
After distributing Pony between November 2014 and December 2015, this specific instance of Bedep started dropping an undocumented “private stealer” until last month. The CryptXXX ransomware’s info stealing abilities are similar to those of the private stealer. According to Proofpoint researchers, the ransomware is linked to the Angler/Bedep team, and the actor behind it was also operating Cool EK and Reveton.
Furthermore, there are various other similarities between Reveton and CryptXXX: both use the Delphi programming language and a custom C&C protocol on TCP 443, and have a delayed start. Other similarities include: DLL called with a custom entry function dat file dropped in %AllUsersProfile%, and Bitcoin and credential stealing functions.
Based on Reveton's long history of successful and large-scale malware distribution, researchers believe that CryptXXX will become a dominant threat.
“While we have observed many new ransomware instances in recent months, many have been written and/or distributed by less experienced actors and have not gained significant traction. Those associated with more experienced actors, however, (such as Locky) have become widespread quickly. Based on the large number of translations available for the payment page, it appears that the Reveton team shares those expectations,” the researchers said.