CryptXXX Ransomware

Email Us - 877.583.2841 - Request A Demo

Use This Form To Have A TruShield Team Member Contact You With More Information.

  • This field is for validation purposes and should be left unchanged.

Use This Form To Contact TruShield Inc Directly. Or you can call us at: 877.583.2841. We will respond back as quickly as possible!

  • This field is for validation purposes and should be left unchanged.

CryptXXX Ransomware

This is a security alert for all TruShield clients and the community at large. TruShield has learned of a new ransomware variant known as CryptXXX which has been associated with widespread exploit kits.

Overview and Attack Vector

As the exponential proliferation of ransomware in 2016 continues, many cybercriminals have utilized both existing exploit kits and malware families to push slightly altered payloads to their victims. One ransomware variant that can be viewed as an example of this behavior is CryptXXX. Discovered by Proofpoint, this ransomware strain harkens to well-known strains like Locky and Cryptowall in terms of three ransom files created upon infection. It has also been linked to the Angler Exploit Kit and Bedep. Since Angler has already been widely distributed, the breadth of the CryptXXX infection path could increase rapidly in the coming weeks.

Malicious Tactics

So far, CryptXXX has frequently been observed as a DLL file dropped by Bedep. One behavioral note when comparing CryptXXX and several other ransomware strains is that the CryptXXX DLL employs a random time delay before execution. This is a known malware tactic often meant to slow analysis and obscure the website that is the source of the infection. Additional tactics that follow suit include a check of the CPU name and a hook installed to check for mouse activity. Upon execution, it searches for files to encrypt and give the “.crypt” extension on both local and mounted drives and, as an additional tactic previously noted with Bedep, it harvests specific information. Some examples include: bitcoins, credentials to file transfers, instant messengers, email program and account data, and private browser data. Several of the mentioned tactics along with additional characteristics like port usage for C&C activity and possible code re-usage also lead experts to link CryptXXX with Reveton.
Severity Warning

The $500 fee for decryption along with any stolen bitcoins or personal information that could be leaked should serve as quick reminders to immediately adjust your security posture. When coupled with the wealth of key ties between CryptXXX and major EKs and known malware families, this is essentially an infection severity warning. Expect a burgeoning amount of CryptXXX infections throughout the year if organizations and users do not take measures in advance. Additionally, it would not be unlikely for several altered iterations to appear, similar to TeslaCrypt.

 

Indicators of Compromise

SHA 256 Hash
a4e9c151a50595b59e787dd3b361ac53d02dd7f212d6b22639dc01776c886d05
565dadb36e1d8b0c787d0d5e4cd7ec8c24cac1d6b37637427547ae465ab0fff0
0b12584302a5a72f467a08046814593ea505fa397785f1012ab973dd961a6c0e
Related IPs and Sites
146.0.42.68
rp4roxeuhcf2vgft[dot]onion.to
rp4roxeuhcf2vgft[dot]onion.cab
rp4roxeuhcf2vgft[dot]onion.city
104.193.252[dot]245
217.23.6[dot]40
DLL files in directories similar to the following
C:\Users\%Username%\AppData\Local\Temp\{C3F31E62-344D-4056-BF01-BF77B94E0254}\api-ms-win-system-softpub-l1-1-0.dll
C:\Users\%Username%\AppData\Local\Temp\{D075E5D0-4442-4108-850E-3AD2874B270C}\api-ms-win-system-provsvc-l1-1-0.dll
C:\Users\%Username%\AppData\Local\Temp\{D4A2C643-5399-4F4F-B9BF-ECB1A25644A6}\api-ms-win-system-wer-l1-1-0.dll
C:\Users\%Username%\AppData\Local\Temp\{FD68402A-8F8F-4B3D-9808-174323767296}\api-ms-win-system-advpack-l1-1-0.dll
C:\Users\%Username%\AppData\Local\Temp\{F4DD9BAF-BD38-4055-90EE-07C071479B6A}\api-ms-win-system-acproxy-l1-1-0.dll

 

Mitigation and Prevention

  • Use updated antimalware and antivirus products.
  • Keep regular backups both on and off-site.
  • Do not open unknown files and compare with known IOCs.
  • Use application control software with a base deny policy on executables.
  • Use administrative or elevated privileges carefully.
  • Isolate infected systems from the network and storage devices.
  • Monitor systems for registry or file changes.
  • Keep systems patched with the latest updates.
  • Continuously monitor network traffic for C&C communication.

 

References

https://www.proofpoint.com/us/threat-insight/post/cryptxxx-new-ransomware-actors-behind-reveton-dropping-angler

https://isc.sans.edu/diary/Angler+Exploit+Kit,+Bedep,+and+CryptXXX/20981

http://malware.dontneedcoffee.com/2016/04/bedepantiVM.html

 

Download the PDF Version

Leave a reply

Copyright © 2016