Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

CrypMIC Ransomware Emerges as CryptXXX Copycat

CryptXXX, the ransomware family that steals user data in addition to holding it hostage, might soon see tough competition from a newcomer that is already using the same distribution channel, namely the Neutrino exploit kit.

CryptXXX, the ransomware family that steals user data in addition to holding it hostage, might soon see tough competition from a newcomer that is already using the same distribution channel, namely the Neutrino exploit kit.

Dubbed CrypMIC, the contender was spotted a couple of weeks ago, when over the course of a week, Neutrino constantly switched the malicious payload between it and CryptXXX. What’s more, Trend Micro security researchers discovered that the new ransomware family mimics CryptXXX not only in terms of entry point, but also when it comes to the ransom note and payment site UI.

Other similarities between the two threats include the use of the same format for sub-versionID/botID (U[6digits] /  UXXXXXX]) and the same export function name (MS1, MS2). Furthermore, researchers say that both ransomware families employ a custom protocol via TCP Port 443 to communicate with their command and control (C&C) servers.

However, the source code and capabilities of the two are different. CrypMIC doesn’t append an extension to the encrypted files, and uses a different compiler and obfuscation method. Moreover, unlike CryptXXX, CrypMIC has a routine to check for the presence of a virtual machine on the infected system, while also designed to send that information to its C&C.

The new piece of ransomware uses AES-256 encryption, targets 901 file types on the infected machines, and has no autostart or persistence mechanisms. The malware can run its encryption routine even in a virtualized environment and sends the information to the C&C. Moreover, it leverages vssadmin for shadow copies deletion.

According to Trend Micro, the same as CryptXXX, CrypMIC is particularly dangerous to enterprises because it can also encrypt files on removable and network drives, although it can target only network shares that have been already mapped to a drive. Both ransomware families demand the same ransom amount, namely 1.2 to 2.4 Bitcoins, researchers say.

However, the newcomer doesn’t download and execute an information-stealing module on its process memory, meaning that it isn’t able to harvest credentials and related information from the infected machine, something that CryptXXX has become famous for.

“Both CrypMIC and CryptXXX pose dangers to organizations and users as these threats steal and hold data hostage, and even pilfer credentials from various programs. Paying the ransom does not guarantee that end-users will get their files back. For instance, the decryptor created by CrypMIC’s developers has been reported to be not functioning properly,” Trend Micro says.

Furthermore, the security researchers note that businesses and users who end up paying the ransom are susceptible to more ransomware attacks. The best way to protect against such threats is to keep systems updated, to have the latest security patches installed, use multilayered defenses, and constantly backup data, so that files can be easily restored even in case of an infection.

Related: CryptXXX Now Being Distributed via Spam Emails

Related: Thousands of Websites Compromised to Spread CryptXXX Ransomware

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Malware & Threats

Fortinet warned of three malicious PyPI packages containing code that fetches the Wacatac trojan and information stealer.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...