New version of CryptXXX ransomware is harder to decrypt
Researchers at endpoint protection specialist SentinelOne have uncovered a new variant of the CryptXXX ransomware family which is being spread via spam and possibly other means.
The latest version fixes previous flaws in its file encryption methods which prevents use of free decryption tools and makes it impossible to decrypt files without paying the ransom.
As with earlier versions of the ransomware this one hides by copying details from a legitimate .dll file -- in this case one related to CyberLink PowerDVD Cinema. Previous versions used details from a Microsoft dll.
It's likely that the cybercrime team behind this variant is the same as that behind earlier CryptXXX attacks and there's evidence that it originates in Russia. The new variant has seen 70 ransom payments totalling around $50,000 made to its Bitcoin ransom address since June 4 this year. It's probable, however, that different addresses are being used for each version or campaign, so the total raised may well be higher.
Caleb Fenton, senior security researcher at SentinelOne says, "To guard falling victim users need to keep backups of important files on external media, as copies on the same machine, including shadow copies, can be encrypted. Files stored in the cloud should be recoverable as long as the provider uses versioning, allowing you to get back a copy from before encryption took place. In addition they need an antivirus solution that uses more than just signatures and takes a behavioral approach".
More details of the infection including screen grabs is available on the SentinelOne blog.