The CryptXXX family encrypts files on the victim’s computer and network shares and then immediately demand $500 Bitcoin to reverse the encryption. Kaspersky came up with a fix which would decrypt the files last week.
Researchers at Proofpoint, who first discovered CryptXXX a few weeks ago, have detected a new variant in the wild which gets around Kaspersky’s fix.e.
After that tool became public, the authors of CryptXXX released a new version of the Ransomware, one that defeats Kaspersky’s offering and applies some cosmetic enhancements.
In addition to countering Kaspersky’s tool, version 2.006 of CryptXXX locks the screen and renders the infected unusable.
Writing in their bog, Proofpoint said that initially it thought that the new lock screen was a quick and dirty way to make it more difficult for the victim to use the Kaspersky decryption tool.
“But upon further inspection, we found that the authors discovered a way to bypass the latest version of the decryption tool.”
Exactly how CryptXXX is defeating Kaspersky isn’t clear, but Proofpoint speculates that it has something to do with how zlib 1.2.2 is being embedded.
CryptXXX is rapidly emerging as one of the top ransomware families in the wild, especially among those working primarily via exploit kits.
“With the introduction of version 2.006, CryptXXX authors have, for now, rendered the existing free decryption tool ineffective. While new decryption tools may emerge, CryptXXX’s active development and rapid evolution suggest that this new ransomware will continue to compete strongly in malware ecosystems,” Proofpoint said.