- Jan 24, 2011
- 9,378
Researchers have neutralized the threat of the latest strain of the CryptXXX v.3 ransomware, releasing a decryption tool for unlocking files, and have added it to the RannohDecryptor, a free utility hosted by Kaspersky Lab’s No Ransom Project.
Previous decryption tools had been available for partial list of files locked up by CryptXXX v.3, but the latest goes a step further and recovers all files scrambled by the ransomware.
The utility deals a blow to cybercriminals behind this latest CryptXXX ransomware, considered one of the most active ransomware families in the wild today. Approximately one quarter of CryptXXX victims are based in the United States; with Russia, Germany and Japan among other top targeted geographic regions.
In April, researchers published a decryption tool for unscrambling files locked by an earlier version of CryptXXX. By June, cybercriminals had updated CryptXXX to outsmart those decryption tools and added a new credential-stealing module. At the time, Proofpoint researchers said CryptXXX authors were on track to rival Locky’s infection rates and distribution reach.
With the first version of CryptXXX, researchers were able to exploit a critical flaw in the encryption algorithm to create a decryption tool. With the CryptXXX v.2, ransomware authors updated the code, but still left flaws that Kaspersky Lab was able to leverage to create another updated decryption tool. With CyrptXXX v.3, the utility decrypts files locked by v.2 and v.3 of the ransomware.
According to Kaspersky Lab researchers, the CryptXXX malware is a DLL (dynamic-link library) written in Delphi and uses a variety of different encryption algorithms to attack files. Kaspersky Lab described three encryption methods the malware uses including RC4 with one key for all files, and two others that use RC4 and RSA to encrypt the content of files and the RC4 keys, or a combination of RC4 and RSA where RC4 is used to encrypt the content of files and RSA is used to encrypt some file contents and the RC4 keys.
CryptXXX v.3 locks files using the extensions .crypt, .cryp1 and .crypz.
Read more: New Decryptor Unlocks CryptXXX v3 Files
Previous decryption tools had been available for partial list of files locked up by CryptXXX v.3, but the latest goes a step further and recovers all files scrambled by the ransomware.
The utility deals a blow to cybercriminals behind this latest CryptXXX ransomware, considered one of the most active ransomware families in the wild today. Approximately one quarter of CryptXXX victims are based in the United States; with Russia, Germany and Japan among other top targeted geographic regions.
In April, researchers published a decryption tool for unscrambling files locked by an earlier version of CryptXXX. By June, cybercriminals had updated CryptXXX to outsmart those decryption tools and added a new credential-stealing module. At the time, Proofpoint researchers said CryptXXX authors were on track to rival Locky’s infection rates and distribution reach.
With the first version of CryptXXX, researchers were able to exploit a critical flaw in the encryption algorithm to create a decryption tool. With the CryptXXX v.2, ransomware authors updated the code, but still left flaws that Kaspersky Lab was able to leverage to create another updated decryption tool. With CyrptXXX v.3, the utility decrypts files locked by v.2 and v.3 of the ransomware.
According to Kaspersky Lab researchers, the CryptXXX malware is a DLL (dynamic-link library) written in Delphi and uses a variety of different encryption algorithms to attack files. Kaspersky Lab described three encryption methods the malware uses including RC4 with one key for all files, and two others that use RC4 and RSA to encrypt the content of files and the RC4 keys, or a combination of RC4 and RSA where RC4 is used to encrypt the content of files and RSA is used to encrypt some file contents and the RC4 keys.
CryptXXX v.3 locks files using the extensions .crypt, .cryp1 and .crypz.
Read more: New Decryptor Unlocks CryptXXX v3 Files
