MacBook Laptop Displaying Ransomware Notifications

Spam, Now With a Side of CryptXXX Ransomware!

July 14, 2016
Proofpoint Staff

Overview

CryptXXX has rapidly grown into one of the most prevalent ransomware variants in the wild with widespread distribution via exploit kits (EKs) such as Neutrino and Angler. As exploit kit traffic has declined (a 96% decrease between April and June), though, particularly in the wake of Angler's disappearance, threat actors normally reliant on EKs are diversifying approaches and looking to other vectors like email. For the first time, Proofpoint researchers have observed CryptXXX ransomware being distributed via malicious document attachments in email campaigns.

Analysis

On July 14, Proofpoint researchers detected an email campaign with document attachments containing malicious macros. If opened, these attachments download and install CryptXXX ransomware. The messages in this campaign had the subjects "Security Breach - Security Report #123456789” with attachments such as "info12.doc" or "i_nf012.doc." The report numbers and digits in the file names were composed of random numbers. The scale of this email campaign was relatively small, with only several thousand email messages observed, suggesting a test of the new distribution mechanism.

Figure 1 shows an example email message with one such malicious document attached.


Figure 1: Email delivering the documents that download CryptXXX ransomware. Although the IP address is obscured in the figure, it is worth noting that both the second and third octets in our samples were numbers above 255; these would be obviously invalid to a network administrator but would maintain an air of urgency and credibility for many average users.


Figure 2: Document attachment that downloads the CryptXXX ransomware

The specific instance of CryptXXX delivered in this campaign is from affiliate ID U000022. We believe that CryptXXX is in active development and possibly split off into two branches. The original branch is now up to version 5.001 (we wrote about the upgrade to version 3.100 near the end of May), while the new branch uses a different format for versioning and will require further analysis.

Conclusion

CryptXXX ransomware has propagated rapidly since appearing earlier this year. The ransomware was initially linked to groups associated with Angler and was distributed almost exclusively via Angler. As Angler activity dried up over this quarter, many actors turned to instances of the Neutrino exploit kit for distribution. Not surprisingly, with the disruption in the EK market, it appears that CryptXXX actors are turning to email as well. We will continue to monitor this trend and see if malicious document-based distribution of CryptXXX expands in the coming months.

Indicators of Compromise (IOC)

IOC

IOC Type

Description

484a67c3d1d223792ab57f89a1bbd8a1fdee8b337d0c532cbc88115650b09001

SHA256

Macro document

19be8d1cbce9c5c2bdad689308a3f17c29ef273b6717e1bebcea81282ca4e09a

SHA256

Macro document

770872484789ebc0e6b309920849041c3936fde2ceed85455917c278631ccdd6

SHA256

Macro document

b41d38c0ebbda25f2fea33d2118583f26e3a0aa596192b891be7a191161e5df1

SHA256

Macro document

f4715d018b5e9d93cf75d97559412c6783e16765b88eb8e36759fa059bf3ed4d

SHA256

Macro document

[hxxp://ubz[.]com[.]ua/plugins/system/ossystem/com_loader.jpg]

URL

CryptXXX downloaded by Macro document

964608f4521362526e64d566d28072c2f145b4c69e09caea500d2db63b1e26b7

SHA256

CryptXXX

91.220.131[.]147

IP

CryptXXX C2

jchiyogcbhkamxv5[.]onion

Hostname

CryptXXX payment site

Select ET Signatures that would fire on such traffic:

2819805 || ETPRO TROJAN CryptXXX CnC Beacon

2022840 || ET TROJAN Possible CryptXXX Ransomware Renaming Encrypted File SMB v2