Researchers Crack A New Version Of CryptXXX ransomware

Proofpoint researchers have detected a new version of thw CryptXXX ransomware that introduces several updates and improvements, all of which increase the risks associated with this threat. In fact, shared network resources are now far more vulnerable to encryption by a CryptXXX-infected PC with the introduction of network scanning via SMB.

CryptXXX is evolving fast – the developers behind it are already at Version 3.100, detected less than 6 weeks after Proofpoint researchers first identified the ransomware. The latest iteration not only bypasses the currently available decryption tool from but also 1) Uses SMB to scan for available network resources and begin encrypting them, 2) Installs the StillerX information stealing DLL (this isn’t new but is the first time it has been analyzed in detail), 3) Includes a new payment portal, and 4) Changes the extension of encrypted files from previous versions.

Comments from Kevin Epstein, Vice President, Threat Operations Center:

“CryptXXX is evolving rapidly, likely driven by the financial benefits attackers reap from distributing ransomware at scale. Cybercrime is a business, and the lower-cost, higher-return nature of ransomware offers significant incentives for threat actors’ continuing investment in that form of malware.”

“By including robust credential-stealing capabilities in the malware package, the actors behind CryptXXX are able to monetize their attack beyond basic ransom payments. It adds further injury to insult, like having your wallet and ID stolen by your kidnappers.”

Please visit Proofpoint’s Threat Insight blog for the full research: https://www.proofpoint.com/us/threat-insight/post/cryptxxx-ransomware-learns-samba-other-new-tricks-with-version3100