CryptXXX 2.0: Ransomware Authors Strike Back Against Free Decryption Tool

Share with your network!

Update, 5/13/2016: 

Our colleagues at Kaspersky Labs have already released an update to their free decryption tool that covers the latest version of CryptXXX described in this blog post. As usual, though, the best solution for ransomware is to avoid infection in the first place. Up-to-date network and endpoint protection, fully patched systems and software, and care when opening emails and attachments are all important components of a sound security strategy for businesses and consumers.


In mid-April, Proofpoint researchers discovered CryptXXX, a new malware variant developed by the authors of the Reveton malware and closely tied to Angler and Bedep [1]. Our colleagues at Kaspersky quickly released a decryption tool with which infected users could recover encrypted files without paying the CryptXXX ransom. However, the latest version of CryptXXX, which appeared in the wild today, renders that tool ineffective, returning the focus on CryptXXX to detection and prevention.


CryptXXX [1] is being actively maintained: we have seen it evolve multiple times since our initial discovery, but the changes did not appear significant enough to be mentioned. As expected, the number of actors spreading it has increased, making it one of the most commonly seen ransomware families. Globally, we have observed several primary threat actors transitioning from Teslacrypt/Locky to CryptXXX/Cerber in the driveby landscape in recent weeks. CryptXXX is most frequently dropped by Bedep after Angler infection, but we have seen it dropped directly by Angler as well:

GooNky malvertising leading to Angler EK dropping CryptXXX
Figure 1: 2016-05-05 - Malvertising from the group we named GooNky [2] [3]  leading to Angler EK dropping CryptXXX directly - Note the new https open redirector they are using.

On April 28th we observed an interesting behavior change in CryptXXX version 2.000. This version began copying the legitimate rundll32.exe file into temporary folder and renaming it there as svchost.exe. This renamed rundll32 is then used to call the original CryptXXX process with a different entry function, MS111. 

Copied rundll32 file
Figure 2: rundll32.exe is copied into the temporary folder and used to start the original CryptXXX DLL with a different entry function, MS111

However, the biggest modification appeared today with the version 2.006. The ransomware is now locking the screen and making the infected computer unusable.

CryptXXX 2.006 denying access to system
Figure 3: CryptXXX 2.006 denying access to the system with a lock screen (there is no link as no user interaction is expected from this screen)

We have not confirmed that a payment via the "personal home page" referenced above will unlock the screen. However, based on Reveton “Police locker” history (as noted previously, the authors responsible for CryptXXX were also behind Reveton), we expect this is an included feature in the ransomware, meaning the computer is probably contacting the C&C routinely to check the payment status.

We first thought that the new lock screen was a quick and dirty way to make it more difficult for the victim to use the Kaspersky decryption tool [4]. But upon further inspection, we found that the authors discovered a way to bypass the latest version of the decryption tool.

CryptXXX 2.006 evolution
Figure 4: CryptXXX 2.006 evolution making the latest implementation of the Rannoh Decryption Tool [4] ineffective. Note that it appears that CryptXXX 2.006 is embedding zlib 1.2.2, possibly in order to defeat the current decryption tool.

The files that alert the victim that they are infected were previously “de_crypt_readme” with bmp, txt, and html extensions. These files are no longer used; instead the filenames are the unique “Personal ID” from the infected machines:

Figure 5 : Ransom message is now unique to each victim (12 hexadecimal characters)

A small modification has been made on the payment page as well:

Figure 6: They now refer to “Google Decrypter” on the payment page instead of “Cryptowall Decrypter” [1]...probably to make it more difficult for victims to identify what they are facing


CryptXXX is rapidly emerging as one of the top ransomware families in the wild, especially among actors working primarily via exploit kits. (For its part, Locky [5] remains the top ransomware distributed via email.) With the introduction of version 2.006, CryptXXX authors have, for now, rendered the existing free decryption tool ineffective. While new decryption tools may emerge, CryptXXX's active development and rapid evolution suggest that this new ransomware will continue to compete strongly in malware ecosystems. As always, best practices for avoiding infection include patching systems and software, updating endpoint antimalware, deploying robust network protections, and regularly backing up all critical systems.



Indicators of Compromise (IOC)

IP/Domain Comment CryptXXX checkin server







Zip archive with the 4 following samples



CryptXXX 1.001



CryptXXX 2.000



CryptXXX 2.005



CryptXXX 2.006


ET Signatures that would fire on CryptXXX traffic:

2820097 || ETPRO TROJAN CryptXXX Checkin 2

2819805 || ETPRO TROJAN CryptXXX Ransomware Checkin

2819806 || ETPRO TROJAN CryptXXX Possible Payment Page