This Ransomware Is Evolving Too Quickly for the Good Guys to Keep Up

Just after Kaspersky releases a decrypt tool for CryptXXX, the ransomware’s authors manage to bypass it.

|
May 11 2016, 1:49pm

Image: H Tarar/Flickr

Researchers are fighting back against ransomware, and have released plenty of "decryptor" tools for unlocking victims' files. A program launched last year to combat TeslaCrypt; researchers published instructions for getting rid of the pernicious Jigsaw ransomware, and, most recently, cybersecurity company Kaspersky announced its own tool for victims of the CryptXXX ransomware.

But the authors of CryptXXX counter-attacked, and released a new version of their ransomware that makes Kaspersky's efforts totally mute.

"The latest version of CryptXXX, which appeared in the wild today, renders that tool ineffective, returning the focus on CryptXXX to detection and prevention," researchers from cybersecurity company Proofpoint wrote in a blog post, published earlier this week.

CryptXXX works in much the same way as other pieces of ransomware. After a potential victim visits a malicious webpage, their browser is redirected to an exploit kit, such as Angler. From here, the kit delivers CryptXXX to the target machine, and locks down personal documents and other files stored on it.

"There are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW!" the message that appears on CryptXXX victims machines reads, according to a screenshot published by Proofpoint.

In its latest iteration, CryptXXX locks the screen and makes the infected computer unusable. This move, Proofpoint hypothesised, was a "quick and dirty" way to make it impossible for victims to use the Kaspersky decrypt tool.

Instead, the CryptXXX authors have found another way to bypass that, Proofpoint writes, although it's not totally clear what that method is. (Proofpoint published a screenshot of an error message from the Kaspersky tool).

Another tweak from CryptXXX is that ransom messages are now unique to each victim, and are based on a personal ID generated for each machine.

"The files that alert the victim that they are infected were previously "de_crypt_readme" with bmp, txt, and html extensions. These files are no longer used; instead the filenames are the unique "Personal ID" from the infected machines," Proofpoint continued.

Some ransomware authors have made amateur mistakes, which in turn allowed for the creation of decryptor tools. With CryptXXX however, researchers might have more of a battle on their hands.