Ransomware has been making a lot of waves throughout 2016 – there were a lot of organizations that were attacked by it in one way or another, and regular users have also been affected. But the security firms also do their part and develop various kinds of solutions for the problem – files that have been encrypted by CryptXXX v.3 can now be unlocked. The decryption tool have been added to the RannohDecryptror, which was developed by Kaspersky Lab’s No Ransom Project and can be used free of charge. We should point out that previous versions of decryption tools were only able to unlock some file types affected by CryptXXX, but now you have an ability to decrypt each one of them.
So people behind CryptXXX now have to scramble and find other methods for encrypting data – their threat is neutralized at the moment. And it can be considered a huge victory – this ransomware targets lots of territories, including Russia, USA, Japan and Germany. So users from all over the world now have one less thing to worry about.
But the joy may be short-lived. Previous version of CryptXXX decryption tool was released in April and ransomware developers were able to update their creation by June. They also put a new model for stealing information inside of it. But the encryption algorithm had certain weaknesses. They were most prominent in the very first modification of CryptXXX. They were fixed to a certain extent in the second variation but the code was still not perfect and researchers from Kaspersky were able to catch up to it. And now they’ve developed an ultimate weapon that can unlock files encrypted by v.2 and v.3.
CryptXXX is a DLL (dynamic-link library) written in Delphi. It uses various encryption algorithms to achieve its goal. One of them employs RC4 with one key for each piece of data. Two others either use RC4 and RSA to encrypt files and the RC4 keys or combine RC4 and RSA in such a way that RC4 locks the file content and RSA encrypts a certain amount of file contents and the RC4 keys. The files themselves are encrypted with the extensions of .crypt, .cryp1 and .crypz.
CryptXXX spreads by driving traffic to URLs which are compromised by Angler and Neutrino exploit kits. In other words, it’s not distributed by method commonly used to get ransomware on computers – email spam campaigns. So you have to be very careful and keep the system protected at all times.
We should point out that CryptXXX v.3 has a certain module stiller.dll – the same one that all previous versions had. It’s downloaded to computers and it can steal 130 types of personal information, including those that are stored by Internet browsers, messengers and email clients. Then, after the encryption process is completed and cybercriminals get their hands on personal data, the ransom note is given out.
The ransom amount for v.3 is unknown at the moment. V.2 asked for 1.3 Bitcoin which is approximately $1000 USD, so the price is not small by any margin.
Still, there’s definitely some progress being made in the battle against ransomware. Kaspersky Lab has already made the decryption tools for CoinVault, TeslaCrypt, Wildfire and Crybola available. If you want to familiarize yourself with a full list of those tools, visit https://noransom.kaspersky.com and catch up on all the latest anti-ransomware developments.