CryptXXX

CryptXXX targets Windows OS and is distributed through the Bedep Trojan spread via the Angler Exploit Kit. It is shipped as a dynamic-link library (DLL) file dropped by the Bedep Trojan into folders contained within AppData\Local\Temp. The execution of the DLL is randomly and deliberately delayed to make it more difficult for the victim to make the connection between the infection and the attack vector, specifically the compromised website distributing the infection. It can detect if it is running in a virtual environment and contains anti-analysis capabilities. It checks the registry for the CPU name and installs a hook procedure to monitor for mouse events. Files encrypted by CryptXXX display .crypt, .cryp1, crypz, or a random string of characters as the extension. It encrypts files located on all local and mounted drives and searches for credentials and Bitcoin to steal. It also collects browser and mail client information as well as cookie data and transmits it back to the attacker using a custom command and control (C2) protocol over TCP port 443. CryptXXX demands a $500 ransom to decrypt files. The most recent versions are CryptXXX 3.0, CryptXXX 3.100, and UltraCrypter. It has been reported that UltraCrypter is not recognizing ransom payments leaving victims who have paid with no decryption key. CryptXXX 3.100 is bundled with StillerX, a module designed to steal login credentials, distributed via the Neutrino Exploit Kit and includes a payment portal.

UPDATE 7/8/2016: A new version of CryptXXX does not append any extensions to encrypted files, making it more difficult to determine which variant caused the infection. It also does not include any method of contacting the attacker should there be problems submitting payment.

UPDATE 7/14/2016: Free decryption keys for encrypted files displaying the extension .cryp1 and .crypz are currently available through their respective decryption websites. It is currently unknown whether this was a deliberate decision made by the developers or if it is a result of a coding error within the payment system.

UPDATE 7/20/2016: A new version of CryptXXX not only appends the extensions of encrypted files, but also renames the entire file to a string of letters and numbers making file identification difficult for victims.

  • Proofpoint provides more information about CryptXXX here and CryptXXX 2.0 here.

  • Kaspersky Lab provides a free decryption tool for CryptXXX versions 1, 2, and 3 with the Rannoh Decrypter on the NoMoreRansom.org website.