TruShield is now Avertium! To learn more and see what's new, visit

CryptXXX Ransomware

Email Us- 877.583.2841 -Request A Demo

Use This Form To Have A TruShield Team Member Contact You With More Information.

[gravityform id="8" title="false" description="false" ajax="true"]

Use This Form To Contact TruShield Inc Directly. Or you can call us at: 877.583.2841. We will respond back as quickly as possible!

CryptXXX Ransomware

This is a security alert for all TruShield clients and the community at large. TruShield has learned of a new ransomware variant known as CryptXXX which has been associated with widespread exploit kits.

Overview and Attack Vector

As the exponential proliferation of ransomware in 2016 continues, many cybercriminals have utilized both existing exploit kits and malware families to push slightly altered payloads to their victims. One ransomware variant that can be viewed as an example of this behavior is CryptXXX. Discovered by Proofpoint, this ransomware strain harkens to well-known strains like Locky and Cryptowall in terms of three ransom files created upon infection. It has also been linked to the Angler Exploit Kit and Bedep. Since Angler has already been widely distributed, the breadth of the CryptXXX infection path could increase rapidly in the coming weeks.

Malicious Tactics

So far, CryptXXX has frequently been observed as a DLL file dropped by Bedep. One behavioral note when comparing CryptXXX and several other ransomware strains is that the CryptXXX DLL employs a random time delay before execution. This is a known malware tactic often meant to slow analysis and obscure the website that is the source of the infection. Additional tactics that follow suit include a check of the CPU name and a hook installed to check for mouse activity. Upon execution, it searches for files to encrypt and give the “.crypt” extension on both local and mounted drives and, as an additional tactic previously noted with Bedep, it harvests specific information. Some examples include: bitcoins, credentials to file transfers, instant messengers, email program and account data, and private browser data. Several of the mentioned tactics along with additional characteristics like port usage for C&C activity and possible code re-usage also lead experts to link CryptXXX with Reveton.
Severity Warning

The $500 fee for decryption along with any stolen bitcoins or personal information that could be leaked should serve as quick reminders to immediately adjust your security posture. When coupled with the wealth of key ties between CryptXXX and major EKs and known malware families, this is essentially an infection severity warning. Expect a burgeoning amount of CryptXXX infections throughout the year if organizations and users do not take measures in advance. Additionally, it would not be unlikely for several altered iterations to appear, similar to TeslaCrypt.


Indicators of Compromise

SHA 256 Hash
Related IPs and Sites
DLL files in directories similar to the following


Mitigation and Prevention

  • Use updated antimalware and antivirus products.
  • Keep regular backups both on and off-site.
  • Do not open unknown files and compare with known IOCs.
  • Use application control software with a base deny policy on executables.
  • Use administrative or elevated privileges carefully.
  • Isolate infected systems from the network and storage devices.
  • Monitor systems for registry or file changes.
  • Keep systems patched with the latest updates.
  • Continuously monitor network traffic for C&C communication.




Download the PDF Version

Leave a reply

Copyright © 2018