Malware News CryptXXX Ransomware moves from the Crypz extension to a Random One

Jack

Jack

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 24, 2011
9,378
A new version of the CryptXXX/UltraCrypter ransomware was released today that switched from using the .crypz extension to a random one consisting of 5 hexadecimal characters. For example, one computer's encrypted files may use the extension .AC0D4, while another victim's files would use the .DA3D1 extension.
cryptxxx.png

The ransom note names are currently set to @[victim_id].txt, .html, and .bmp. So a user with a victim ID of 14AC2EF20B23, would have ransom notes named 14AC2EF20B23.html, 14AC2EF20B23.bmp, and 14AC2EF20B23.txt.


Read more: CryptXXX Ransomware moves from the Crypz extension to a Random One
 
  • Like
Reactions: XhenEd, Daniel Hidalgo, DardiM and 9 others
Rishi

Rishi

Level 19
Verified
Honorary Member
Top Poster
Well-known
Dec 3, 2015
938
It could be coded that way to generate machine specific unique extension or totally random,certain polymorphic malware are known to adapt with the host, we can only know by reversing the well-hidden algorithms.
 
  • Like
Reactions: XhenEd, DardiM, jamescv7 and 4 others
DardiM

DardiM

Level 26
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Rishi said:
It could be coded that way to generate machine specific unique extension or totally random,certain polymorphic malware are known to adapt with the host, we can only know by reversing the well-hidden algorithms.
Click to expand...
Yes, and I think that we will soon have news about the reason / impact of this change :).
 
  • Like
Reactions: Der.Reisende, Jrs30, XhenEd and 1 other person
cruelsister

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,147
The extensions are getting cute lately. I was playing around with one this weekend that encrypted the files with the extension ".31392E30362E32303136_12_LSBJ1". On subsequent runs of the same malware the _xx_ numbers changed, everything else stayed the same. Another variant had the ending final 5 characters differing as well as the first few numbers.

Looks like they are pushing this one through a trojan factory prior to sale so that the purchaser gets to have a ransomware file all her own.

Isn't that special!
 
  • Like
Reactions: jamescv7, Der.Reisende, Jrs30 and 4 others
You must log in or register to reply here.

Similar threads

[correlate]
    • Like
MSSQL Databases Under Fire From FreeWorld Ransomware
Replies
0
Views
792
News Archive
[correlate]
[correlate]
vtqhtr413
    • Like
    • Wow
    • +Reputation
New ransomware fakes Windows Update to trick home users
Replies
5
Views
1,641
News Archive
upnorth
upnorth
LASER_oneXM
    • Like
    • +Reputation
Meet Akira — A new ransomware operation targeting the enterprise
Replies
1
Views
1,822
News Archive
[correlate]
[correlate]

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top