Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

CryptXXX Ransomware Steals Bitcoin, Private Data

As if denying a user’s access to their files and asking for a $500 ransom to restore access wasn’t bad enough, the authors of a new piece of ransomware called CryptXXX decided to also pack their malware with information stealing capabilities.

As if denying a user’s access to their files and asking for a $500 ransom to restore access wasn’t bad enough, the authors of a new piece of ransomware called CryptXXX decided to also pack their malware with information stealing capabilities.

The new malicious application is closely tied to the Angler exploit kit (EK) and to the Bedep botnet, and Proofpoint security researchers say it’s the offspring of the same cybercriminal group behind the Reveton ransomware operations. Active two years ago, Reveton also engaged in data stealing activities after receiving an update in August 2014.

Distributed by the Angler EK, CryptXXX was observed in a campaign last week, when the crimekit was loading Bedep to also distribute Dridex 222. Similar to other malware in the segment, the new ransomware encrypts user’s files and displays a ransom note on the compromised computer, while also directing users to a payment site that features multi-language support.

Proofpoint researchers observed the new ransomware being shipped as a DLL dropped by Bedep in specific folders in four different infections. The start of the DLL is delayed by a given period of time to make it difficult for the victim to associate it with the infection vector, and the ransomware features anti-virtual machine and anti-analysis functions.

When executed, CryptXXX encrypts user’s files and adds the .crypt extension to the filename, and does the same on all mounted drives. Furthermore, it steals Bitcoins from the infected machine, as well as user data.

After distributing Pony between November 2014 and December 2015, this specific instance of Bedep started dropping an undocumented “private stealer” until last month. The CryptXXX ransomware’s info stealing abilities are similar to those of the private stealer. According to Proofpoint researchers, the ransomware is linked to the Angler/Bedep team, and the actor behind it was also operating Cool EK and Reveton.

Furthermore, there are various other similarities between Reveton and CryptXXX: both use the Delphi programming language and a custom C&C protocol on TCP 443, and have a delayed start. Other similarities include: DLL called with a custom entry function dat file dropped in %AllUsersProfile%, and Bitcoin and credential stealing functions.

Based on Reveton’s long history of successful and large-scale malware distribution, researchers believe that CryptXXX will become a dominant threat.

“While we have observed many new ransomware instances in recent months, many have been written and/or distributed by less experienced actors and have not gained significant traction. Those associated with more experienced actors, however, (such as Locky) have become widespread quickly. Based on the large number of translations available for the payment page, it appears that the Reveton team shares those expectations,” the researchers said.

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Malware & Threats

A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery.