Now here's a new hybrid nasty that does a multitude of nefarious things. Proofpoint researchers found that it was built by the same cyber mafia that's behind the Reveton malware. A few months ago the 800-pound Dridex cyber gang moved into ransomware with Locky, and now their competitor Reveton follows suit and tries to muscle into the ransomware racket with an even worse criminal malware multitool.
At the moment CryptXXX spreads through the Angler Exploit Kit which infects the machine with the Bedep Trojan, which in its turn drops information stealers on the machine, and now adds professional grade encryption adding a .crypt extension to the filename.
It demands the "industry standard" ~$500 in Bitcoin per computer to unlock encrypted files. You have to keep in mind that the cyber criminals behind Reveton are highly experienced, which means that CryptXXX is a force to be reckoned with. Expect widespread attacks, initially through drive-by-downloads but you can expect a wave of phishing emails shortly.
This ransomware hybrid encrypts files locally and on all mounted drives, and to add insult to injury it also steals Bitcoins and a large range of other data. The Bedep Trojan has a long history of dropping information stealers on infected machines. For instance it dropped the Pony password stealer from November 2014 until mid-December 2015. It replaced Pony with an undocumented “private stealer” until mid-March 2016.
CryptXXX tries to elude detection through "random delayed" execution, anti-Virtual Machine and anti-analysis functions like checking the CPU names in the registry and monitors for mouse events. The proofpoint guys said: "Given Reveton's long history of successful and large-scale malware distribution, we expect CryptXXX to become widespread.”
Oh Joy.
So, What To Do About It?
- Have weapons-grade backups and check your restore function religiously
- Disable Flash on all workstations permanently
- Patch all systems as much as possible, especially third party apps
- Deploy wall-to-wall desktop ad-blockers
- Step users through effective security awareness training
[UPDATE 4/16/2016 - 10:53am] Kaspersky just released a decryption tool for this strain!
Get the most informative and complete hostage rescue manual on Ransomware. This 20-page manual (PDF) is packed with actionable info that you need to prevent infections, and what to do when you are hit with malware like this. You also get a Ransomware Attack Response Checklist and Prevention Checklist.
(If you don't like to click on buttons with redirects, here is a link you can cut/paste)