CryptXXX Ransomware

CryptXXX Ransomware Description

The CryptXXX Ransomware is a ransomware Trojan. The CryptXXX Ransomware does not limit its attack to encrypting the victim's files; the CryptXXX Ransomware also has the capacity of taking BitCoins from the victim's wallet and collect passwords from the infected computer. The combination of a ransomware Trojan with information collecting components has proven to be highly effective and with a great potential for future attacks. PC security analysts are concerned that the addition of an information collecting component to the CryptXXX Ransomware infection could set a new standard for encryption ransomware Trojans in the future.

Besides Encrypting Files, the CryptXXX Ransomware may Execute Additional Harmful Actions

The CryptXXX Ransomware encrypts the victim's files using the AES encryption. The CryptXXX Ransomware also may collect BitCoins, passwords, and other private data from the infected computer. The CryptXXX Ransomware was first detected in late March of 2016. PC security researchers have associated the CryptXXX Ransomware with the Angler Exploit Kit, which has been used to compromise various websites. This exploit kit is used to leverage vulnerabilities on the victim's computer to install Bedep on the victim's computer. Bedep is a Trojan downloader that may download and install the CryptXXX Ransomware and other possible threats on the victim's computer. The CryptXXX Ransomware downloads a delayed execution DLL file, which waits 62 minutes before launching on the victim's computer. After the time has elapsed, the CryptXXX Ransomware carries out its attack, encrypting the victim's files and collecting important data and money in the form of BitCoins.

Mapping the CryptXXX Ransomware Infection

The CryptXXX Ransomware asked ransom is 1.2 BitCoins. After encrypting the victim's files, the CryptXXX Ransomware changes the victim's Desktop image into its ransom message and drops text and HTML ransom notes on the victim's computer. The CryptXXX Ransomware's ransom messages are instantly recognizable and can be used to identify this threat. The files associated with these ransom notes are named 'de_crypt_readme.txt' and 'de_crypt_readme.html.' The CryptXXX Ransomware appends the file extension 'crypt' to the files it has encrypted. At the current rate, the CryptXXX Ransomware ransom averages at about $515 USD, an amount that is significantly higher than the average encryption ransomware threats.

The Information Collecting Capabilities of the CryptXXX Ransomware

Bedep has been used to deliver data collecting threats in the past. In this case, the CryptXXX Ransomware also will contain a feature that allows it to collect data from the victim's computer. The CryptXXX Ransomware can collect files, passwords, and other data, focusing on login credentials from the victim's instant messenger applications, email clients, FTP programs, and Internet browsers particularly. The CryptXXX Ransomware also may collect BitCoin wallet credentials according to reports from PC security researchers. PC security analysts have detected a link between the CryptXXX Ransomware and Reveton, an older ransomware threat that was quite effective in its time. There are various similarities, including that both threats are encoded using Delphi, use a DLL with a delayed start, the same type of function to call on the corrupted DLL file, collect BitCoins and login credentials, and make use of a custom Command and Control protocol using TCP port 443.

Who may be Responsible for the CryptXXX Ransomware?

PC security researchers suspect that the same group that created the CryptXXX Ransomware also created Bedep, the Angler Exploit Kit and Reveton. This means that the people responsible for the CryptXXX Ransomware may have significant resources and experience, making this threat particularly worrying for security researchers. Malware analysts observed a similar pattern in 2015, when the Locky Ransomware family first appeared. At first, the CryptXXX Ransomware seemed to come out of nowhere, with sophisticated new features and an approach that had not been seen before in ransomware threats. Locky quickly become one of the most widely disseminated ransomware threats. The CryptXXX Ransomware is not the work of an amateur group, and the CryptXXX Ransomware may become a significant threat in the coming year.

Technical Information

File System Details

CryptXXX Ransomware creates the following file(s):
# File Name Size MD5 Detection Count
1 %SystemDrive%\Users\mehdi\AppData\Local\#_HOW_TO_FIX_!.hta 2,144 392584ba2249f34ae158a516c9cebe0b 47
2 %TEMP%\{68815C74-7E0F-48E1-9358-B127C595A632}\api-ms-win-system-Sens-l1-1-0.dll 249,856 22288a76cfa7348ced6db347b2085f18 1
3 file.dll 406,528 cf892c22f1b8cbdd33c11cc9050d483b 0
More files

Registry Details

CryptXXX Ransomware creates the following registry entry or registry entries:
Regexp file mask
%APPDATA%\Microsoft\Windows\Network Shortcuts\@README.BMP
%APPDATA%\Microsoft\Windows\Network Shortcuts\@README.HTML

Related Posts

Site Disclaimer

Enigmasoftware.com is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their computer with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.


HTML is not allowed.