Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

CrypMIC Ransomware Emerges as CryptXXX Copycat

CryptXXX, the ransomware family that steals user data in addition to holding it hostage, might soon see tough competition from a newcomer that is already using the same distribution channel, namely the Neutrino exploit kit.

CryptXXX, the ransomware family that steals user data in addition to holding it hostage, might soon see tough competition from a newcomer that is already using the same distribution channel, namely the Neutrino exploit kit.

Dubbed CrypMIC, the contender was spotted a couple of weeks ago, when over the course of a week, Neutrino constantly switched the malicious payload between it and CryptXXX. What’s more, Trend Micro security researchers discovered that the new ransomware family mimics CryptXXX not only in terms of entry point, but also when it comes to the ransom note and payment site UI.

Other similarities between the two threats include the use of the same format for sub-versionID/botID (U[6digits] /  UXXXXXX]) and the same export function name (MS1, MS2). Furthermore, researchers say that both ransomware families employ a custom protocol via TCP Port 443 to communicate with their command and control (C&C) servers.

However, the source code and capabilities of the two are different. CrypMIC doesn’t append an extension to the encrypted files, and uses a different compiler and obfuscation method. Moreover, unlike CryptXXX, CrypMIC has a routine to check for the presence of a virtual machine on the infected system, while also designed to send that information to its C&C.

The new piece of ransomware uses AES-256 encryption, targets 901 file types on the infected machines, and has no autostart or persistence mechanisms. The malware can run its encryption routine even in a virtualized environment and sends the information to the C&C. Moreover, it leverages vssadmin for shadow copies deletion.

According to Trend Micro, the same as CryptXXX, CrypMIC is particularly dangerous to enterprises because it can also encrypt files on removable and network drives, although it can target only network shares that have been already mapped to a drive. Both ransomware families demand the same ransom amount, namely 1.2 to 2.4 Bitcoins, researchers say.

However, the newcomer doesn’t download and execute an information-stealing module on its process memory, meaning that it isn’t able to harvest credentials and related information from the infected machine, something that CryptXXX has become famous for.

“Both CrypMIC and CryptXXX pose dangers to organizations and users as these threats steal and hold data hostage, and even pilfer credentials from various programs. Paying the ransom does not guarantee that end-users will get their files back. For instance, the decryptor created by CrypMIC’s developers has been reported to be not functioning properly,” Trend Micro says.

Advertisement. Scroll to continue reading.

Furthermore, the security researchers note that businesses and users who end up paying the ransom are susceptible to more ransomware attacks. The best way to protect against such threats is to keep systems updated, to have the latest security patches installed, use multilayered defenses, and constantly backup data, so that files can be easily restored even in case of an infection.

Related: CryptXXX Now Being Distributed via Spam Emails

Related: Thousands of Websites Compromised to Spread CryptXXX Ransomware

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.