Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

CrypMIC Ransomware Emerges as CryptXXX Copycat

CryptXXX, the ransomware family that steals user data in addition to holding it hostage, might soon see tough competition from a newcomer that is already using the same distribution channel, namely the Neutrino exploit kit.

CryptXXX, the ransomware family that steals user data in addition to holding it hostage, might soon see tough competition from a newcomer that is already using the same distribution channel, namely the Neutrino exploit kit.

Dubbed CrypMIC, the contender was spotted a couple of weeks ago, when over the course of a week, Neutrino constantly switched the malicious payload between it and CryptXXX. What’s more, Trend Micro security researchers discovered that the new ransomware family mimics CryptXXX not only in terms of entry point, but also when it comes to the ransom note and payment site UI.

Other similarities between the two threats include the use of the same format for sub-versionID/botID (U[6digits] /  UXXXXXX]) and the same export function name (MS1, MS2). Furthermore, researchers say that both ransomware families employ a custom protocol via TCP Port 443 to communicate with their command and control (C&C) servers.

However, the source code and capabilities of the two are different. CrypMIC doesn’t append an extension to the encrypted files, and uses a different compiler and obfuscation method. Moreover, unlike CryptXXX, CrypMIC has a routine to check for the presence of a virtual machine on the infected system, while also designed to send that information to its C&C.

The new piece of ransomware uses AES-256 encryption, targets 901 file types on the infected machines, and has no autostart or persistence mechanisms. The malware can run its encryption routine even in a virtualized environment and sends the information to the C&C. Moreover, it leverages vssadmin for shadow copies deletion.

According to Trend Micro, the same as CryptXXX, CrypMIC is particularly dangerous to enterprises because it can also encrypt files on removable and network drives, although it can target only network shares that have been already mapped to a drive. Both ransomware families demand the same ransom amount, namely 1.2 to 2.4 Bitcoins, researchers say.

However, the newcomer doesn’t download and execute an information-stealing module on its process memory, meaning that it isn’t able to harvest credentials and related information from the infected machine, something that CryptXXX has become famous for.

“Both CrypMIC and CryptXXX pose dangers to organizations and users as these threats steal and hold data hostage, and even pilfer credentials from various programs. Paying the ransom does not guarantee that end-users will get their files back. For instance, the decryptor created by CrypMIC’s developers has been reported to be not functioning properly,” Trend Micro says.

Furthermore, the security researchers note that businesses and users who end up paying the ransom are susceptible to more ransomware attacks. The best way to protect against such threats is to keep systems updated, to have the latest security patches installed, use multilayered defenses, and constantly backup data, so that files can be easily restored even in case of an infection.

Related: CryptXXX Now Being Distributed via Spam Emails

Related: Thousands of Websites Compromised to Spread CryptXXX Ransomware

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.