Security firm SentinelOne on June 27 announced that it has discovered a new variant of the CryptXXX ransomware family. The CryptXXX variant follows the demise of the rival TeslaCrypt ransomware at the end of May.
The TeslaCrypt ransomware mysteriously shut down last month, and in its place other ransomware families, including CryptXXX, have been on the rise. There isn’t a unique name for the new version of CryptXXX yet, though it has some differentiated characteristics, including improved use of encryption.
“This is a very active family, with new variants popping up all the time,” Caleb Fenton, senior security researcher at SentinelOne, told eWEEK. “We don’t have a special name for it yet, but it’s similar though not identical to what other vendors are calling 3.0 or 3.1.”
How CryptXXX Variant Was Discovered
How did SentinelOne discover the new CryptXXX variant? Fenton said SentinelOne monitors a variety of locations, including underground forums, for intelligence and binaries. Its researchers performed various searches across different sources until they found a trail leading to the new version.
The core foundational code behind the new CryptXXX variant, according to Fenton, is the same as prior versions of CryptXXX. The new variant also uses the same payment site as the older versions. At this point, the new version of CryptXXX is not targeting any specific geography, instead simply looking for any options to infiltrate an organization regardless of location and industry. Fenton added that SentinelOne has evidence that the new CryptXXX variant is spreading through spam, though it may be spreading through other means as well.
The new CryptXXX is also noteworthy in that it is not exploiting any specific known or unknown software vulnerabilities.
“No vulnerabilities are required,” Fenton said. “They seem to be abusing poor spam filtering and user behavior to deliver malware directly to a system.”
The ransom itself is “reasonably low”—in the $500 to $800 range—which suggests the group behind the new CryptXXX ransomware is not just targeting businesses, but individuals as well, according to Fenton. To date, SentinelOne’s analysis indicates that approximately $50,000 worth of Bitcoin has been paid in ransom by victims of the new CryptXXX ransomware variant.
One reason why the new CryptXXX is successful is because the hackers behind the ransomware have properly implemented encryption, making it more difficult for users to decrypt on their own. Prior versions of CryptXXX encrypted user files with either the crypz or crypt file extension. In contrast, the new version of CryptXX encrypts files with the crypt1 extension. Fenton explained that with the crypz and crypt encrypted files, the CryptXXX attackers were in fact using a flawed file encryption implementation that allowed files to be decrypted without paying the ransom. That’s not the case with crypt1.
“Crypto is a hard problem and easy to get wrong, so this is not surprising,” he said. “It’s likely that the weak encryption worked good enough, but eventually the malware authors decided that the availability of free decryption tools was cutting into their profits, so they invested in making the encryption better.”
From a defender perspective, running up-to-date antivirus might not be enough to actually detect and alert all users to the new CryptXXX threat. Fenton said there’s no guarantee that signature-based heuristics will catch a new variant of any malware family. He emphasized that the people running ransomware campaigns are not just hackers playing a prank; rather, they are professionals who think in terms of return on investment.
“If AV is judged to be cutting too much into profits, they will invest more energy in tailoring each new variant so signatures aren’t as effective,” Fenton said. “It makes sense that we should see malware become more sophisticated and slippery, and the AV industry needs to step it up and provide something more than signatures if we’re going to combat tomorrow’s threats.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.