CryptXXX ransomware is a new hybrid that comes to us from the same cyber mafia behind Reveton malware, it demands a ransom of 1 Bitcoin (~$500). It is spread through the Angler Exploit Kit which first infects the machine with the Bedep Trojan, which then drops information stealers on the machine and adds professional grade encryption adding a .crypt extension to the filename.
Local files as well as mounted drives are encrypted. CryptXXX steals Bitcoins in addition to a ton of other data it steals. It tries to elude detection for as long as possible through random delayed execution, anti-Virtual Machine and anti-analysis functions like checking CPU names in the registry and monitors for mouse events.
Kaspersky has a free decryption tool available for CryptXXX versions 1 and 2, however Version 3.100 renders the tool useless. The new version includes network share encryption, meaning even if files have been decrypted, the ransomware can still encrypt files on network shares.
A new version seen in July changes its name to Microsoft Decryptor and no longer appends an extension to decrypted files, meaning an encrypted file keeps the same filename as it had before the infection. Later in July, thousands of legitimate wordpress business sites were hacked by a botnet named SoakSoak to deliver the latest version of CryptXXX ransomware to all of their website visitors. If you use WordPress as a platform, you really need to keep it updated and use as few plugins as possible to minimize the attack surface.
