CryptXXX ransomware, first spotted in mid-April, has reached version 2.0, and a new level of nastiness. It’s also on its way to become one of the top ransomware families in the wild.
The malware’s first version would encrypt files but leave the rest of the infected computer alone, and victims would be able to use it to buy Bitcoin and pay the required ransom.
This also allowed them to deploy a decryption tool, developed by Kaspersky Lab researchers only a week after the first instance of the ransomware was spotted. The AV maker added the decryption capability to its decryptor tool meant initially for decrypting files taken hostage by the Rannoh ransomware.
But that option is not available any more, as CryptXXX 2.0 not only bypasses the decryption tool, but also locks the computer’s screen after popping-up the ransom request:
In addition to all this, the page where the crooks explain how the victims can effect the ransom payment mentions a Google Decrypter tool they will be able to use to decrypt their files. Proofpoint researchers believe that’s just a misdirection, to prevent victims to identify with which ransomware they have been hit.
“While new decryption tools may emerge, CryptXXX’s active development and rapid evolution suggest that this new ransomware will continue to compete strongly in malware ecosystems,” the researchers noted.
“As always, best practices for avoiding infection include patching systems and software, updating endpoint antimalware, deploying robust network protections, and regularly backing up all critical systems.”
UPDATE (May 13, 2016):
We’ve been notified by Kaspersky Lab that they have updated the decryption tool to adapt to the second version of CryptXXX.
“The updated version of CryptXXX ransomware has been successfully decrypted; and a new version of the Kaspersky Lab decryption tool can now help the victims of CryptXXX v2. This tool supports the decryption of about 40 popular file formats, including documents, archives, images, etc. Unfortunately, it is not possible to decrypt any arbitrary file format,” says senior malware analyst Fedor Sinitsyn.
“We have made the new tool even more easy to use. To decrypt files affected by CryptXXX v2, users don’t need an original copy of any files. Users of the previous versions of this utility will have the opportunity to automatically download the updated version.”