CryptXXX 3.1

[cruelsister]

As you may be aware, the makers of the previously wildly popular Tesla ransomware have abandoned that project and in all probability are behind the recent CryptXXX outbreak. Although decryptors were produced for the initial versions, a new build has been recently released that is a real pain and defeats the decryptors. Besides infecting network shares it also has a function to steal passwords of the originally infected system.

The real pain is that it seems to be totally VM/sandbox aware (probably due to a getsysinfo function- but I'm not 100% on this) so is an issue to analyze without a bunch of sacrificial machines which I no longer have. It's being currently pushed out on malicious webpages via the Neutrino EK. If you are running a sandbox (SBIE, CF, Shade) or in a VM you are safe as the malware will just shut down; without such defenses running into a zero day sample may be a severe issue.

(Just noticed it is connecting out to prtc.net in San Juan, which is the Puerto Rican Telephone Company. That's a first...).

 

[Kate_L]

CryptXXX checks for VM/VB processes and the "Add-ons/Tools". And like you said, it also gets the full PC info, I have a feeling that it checks for the HDD, in VB/VM the HDD is easy to spot (if it's a Virtual Machine or if it's not).

 

[cruelsister]

Hi Kate!- It's a real pain to find out by what mechanism this stuff queries its environment, but in this case it absolutely not by checking for dll's, so as you said it may be response time also.

Forgot to mention that it injects into explorer.exe. Think this one is really new; wish I had more time to play instead of determining a viable takeout price of my previous employer.