Researchers at SentinelOne have warned of a new version of ransomware. It is a member of the CryptXXX family and is already spreading through spam and spear phishing campaigns. Unlike early versions of the ransomware that were poorly written, this version has fixed the flaws that enabled security vendors to write free decryption tools. The result is that any infection is a case of pay up or say goodbye to your files.
According to Joseph Landry, Senior Researcher for SentinelOne this new variant has already raised over $50,000. The money was paid in Bitcoin with the price set at 1.2 Bitcoins per machine. With new ransomware Bart charging 3 Bitcoins per machine we wanted to know more about the pricing. Landry told us: “They have priced it at a level where people will pay it rather than attract too much attention from law enforcement.”
In an interesting twist, Landry says that the ransomware authors have also introduced a ‘Try Before You Pay’ mechanism. To convince users that the key to unlock their files will work the authors will provide a sample key that will unlock a small number of files. This is innovative and certainly overcomes some of the problems other ransomware authors and victims have experienced.
What do we know about the authors?
Little to nothing. They have managed to remain underground and have avoided detection so far. Landry also believes that they have kept control of the ransomware and have not sold out to any criminal gang.
This is a smart move but does this mean they are looking for a quick profit and then move on? Landry doesn’t think so. We were also interested in if this was a criminal enterprise or perhaps state sponsored malware. We were told by Landry: “This is 100% criminal. The people who wrote the payload haven’t done everything. They have brought in other people with advanced techniques to do the distribution and packing. This is an approach we called Exploits as a Service (EaaS)”
This use of EaaS is interesting. Cybercriminals are making better use of cloud and ‘as a Service’ approaches than many companies. They use it for data mining to extract data from large data breaches. In this security context they are also good at sharing data and exploits. Despite this, Landry says this isn’t Ransomware as a Service (RaaS) in the same way as described by Flashpoint recently.
Imitating known good files
One of the interesting things in the SentinelOne blog announcing CryptXXX is the way it uses the file names and details from other programmes. For example, the blog points out that an earlier version of CryptXXX copied the details from a legitimate Microsoft DLL.
In this version they have taken all the file details from a file called _BigBang.dll. This file is distributed by Cyberlink PowerDVD Cinema. To ensure that the details are accurate, SentinelOne believes that this is done as part of the build or distribution process. That means it might not be the original authors but the people they have paid to distribute the ransomware.
Deleting Shadow Copy files
Users have been encouraged to use shadow copies as a backup and protection mechanism. Landry told us that this new CryptXXX variant searches for and then deletes any shadow volume copies that it can detect. It does this by tricking the user into giving it elevated privileges so that it can run as administrator. From there it hooks the Windows VSS.exe file and uses it to delete the files.
For users that create copies and then store them on external devices or on the company network there is still hope. Landry told us that at present CryptXXX does not scan the machine or network for other shadow copies. It also fails to delete the VSS log files. This means that users can restore older shadow copies.
This suggests that there is a protection strategy here for users. They should enable VSS on their computer but then have the copies moved to the network or a removable device. This would allow them to recover if they are infected.
This is an updated version of CryptXXX with a lot of new features. Unlike previously versions this one is well written, is being distributed widely and there is no known solution other than to pay up. With the surge of ransomware currently hitting the market it will be interesting to see just how lucrative this version of CryptXXX can become.