This is a security alert for all TruShield clients and the community at large. TruShield has learned of a new ransomware variant known as CryptXXX which has been associated with widespread exploit kits.
Overview and Attack Vector
As the exponential proliferation of ransomware in 2016 continues, many cybercriminals have utilized both existing exploit kits and malware families to push slightly altered payloads to their victims. One ransomware variant that can be viewed as an example of this behavior is CryptXXX. Discovered by Proofpoint, this ransomware strain harkens to well-known strains like Locky and Cryptowall in terms of three ransom files created upon infection. It has also been linked to the Angler Exploit Kit and Bedep. Since Angler has already been widely distributed, the breadth of the CryptXXX infection path could increase rapidly in the coming weeks.
So far, CryptXXX has frequently been observed as a DLL file dropped by Bedep. One behavioral note when comparing CryptXXX and several other ransomware strains is that the CryptXXX DLL employs a random time delay before execution. This is a known malware tactic often meant to slow analysis and obscure the website that is the source of the infection. Additional tactics that follow suit include a check of the CPU name and a hook installed to check for mouse activity. Upon execution, it searches for files to encrypt and give the “.crypt” extension on both local and mounted drives and, as an additional tactic previously noted with Bedep, it harvests specific information. Some examples include: bitcoins, credentials to file transfers, instant messengers, email program and account data, and private browser data. Several of the mentioned tactics along with additional characteristics like port usage for C&C activity and possible code re-usage also lead experts to link CryptXXX with Reveton.
The $500 fee for decryption along with any stolen bitcoins or personal information that could be leaked should serve as quick reminders to immediately adjust your security posture. When coupled with the wealth of key ties between CryptXXX and major EKs and known malware families, this is essentially an infection severity warning. Expect a burgeoning amount of CryptXXX infections throughout the year if organizations and users do not take measures in advance. Additionally, it would not be unlikely for several altered iterations to appear, similar to TeslaCrypt.
Indicators of Compromise
|SHA 256 Hash|
|Related IPs and Sites|
|DLL files in directories similar to the following|
Mitigation and Prevention
- Use updated antimalware and antivirus products.
- Keep regular backups both on and off-site.
- Do not open unknown files and compare with known IOCs.
- Use application control software with a base deny policy on executables.
- Use administrative or elevated privileges carefully.
- Isolate infected systems from the network and storage devices.
- Monitor systems for registry or file changes.
- Keep systems patched with the latest updates.
- Continuously monitor network traffic for C&C communication.