Bad guys jump ship to CryptXXX after TeslaCrypt authors release decryption key

Researchers have spotted threat actors flocking to CryptXXX after TeslaCrypt authors closed shop.

Cyber-crooks look to capitalize on CryptXXX after the fall of TeslaCrypt.
Cyber-crooks look to capitalize on CryptXXX after the fall of TeslaCrypt.

After TeslaCrypt's authors publicly released the ransomware's master decryption key last week, Trend Micro researchers spotted cyber crooks jumping to CryptXXX.

The release of the keys allowed TeslaCrypt victims to unlock their files for free, leaving bad guys looking for a new cash cow to fill the void, according to a May 20 blog post.  

Trend Micro researchers said TeslaCrypt was already being phased out in favour of CryptXXX before the release of the key as white hats discovered vulnerabilities and developed decryption tools. Concurrently, CryptXXX received several updates including one after the release of the TeslaCrypt keys, the post said.

CryptXXX is a high risk to victims because it uses compromised websites and malvertising to infect users, Trend Micro Senior Global Marketing Manager Jon Clay told SCMagazine.com.

“This is a departure from the traditional email-based infection vector which is more targeted,” he said. “CryptXXX also uses anti-sandbox code as well as running a watchdog process to protect itself from being detected and terminated.”

Researchers wrote that CryptXXX is difficult to stop because it runs alongside a “watchdog program” which executes two simultaneous routines that encrypt and detect abnormal system behaviour. When the program detects abnormal system behaviours it halts and restarts the encryption routine which results in a cycle of stopping and starting the malware, the post said.

“The authors behind CryptXXX have made significant improvements to their ransomware that could increase the payment rate of victims,” Clay said.

CryptXXX also introduced a longer waiting period of 90-plus hours for a victim to pay before doubling the ransom so users have ample time to come up with the ransom money, researchers said. Other ransomware families give users as little as 24 hours before hiking the price to unlock a victim's files.

CryptXXX authors will likely make the ransomware a nightmare for users who do not have proper ransomware solutions, the researchers contended. “Given that ransomware can also be spread via spam mail attachments or links in spam messages, users should avoid opening unverified emails or clicking on embedded links,” they wrote.

In addition, consumers must have a backup solution to back up or restore infected files, Deepak Patel, director of security strategy at Imperva, told SC via email.

“Ransomware today has the perfect elements of gullible humans, effective malware software, and ability to collect ransom anonymously working in their favour,” he said. “The trifecta assures that the malware authors stay out of the reach of law enforcement officials where the crime is committed.”

Patel predicted a healthy future for ransomware, which, he said, "in some form or shape will continue to thrive until there is a change in one of the factors – effective law enforcement or vastly increased awareness.”