Notorious ransomware family CryptXXX has morphed yet again to defeat decryption tools with a newly discovered variant: version 3.100, according to Proofpoint.
The security vendor claimed in a new blog post that CryptXXX 3.100 features new Server Message Block (SMB) functionality to scan for shared Windows drives on the corporate network before encrypting them one by one.
This renders the current CryptXXX decryption tool from Kaspersky Lab useless, and organizations should not count on another one being made available any time soon, Proofpoint argued.
“Even when possible, decrypting individual files is time-consuming and scales poorly, especially as CryptXXX begins encrypting many more files across network shares,” the firm said. “Similarly … the information stealing capabilities built into CryptXXX render organizations vulnerable even if they can recover critical files.”
These info stealing capabilities come in the form of StillerX – a credential stealing DLL which works as a plugin or standalone stealer.
It has been designed to target a wide range of potentially monetizeable information on a victim’s machine, including browser data, email/IM/VPN credentials, and even poker software log-ins.
CryptXXX 3.100 also features a simplified lock screen and a new more user-friendly payment portal hosted on an onion site.
Proofpoint claimed the ransomware family has become fairly widespread of late, even attracting black hats from TeslaCrypt.
“Because CryptXXX also includes robust information-stealing capabilities, multi-layered network and endpoint protection are also critical to prevent data exfiltration in case of infection,” the vendor concluded.
“CryptXXX updates have appeared very quickly over the last month and, without an available decryption tool, users and organizations must focus on detection and prevention.”
The scale of the ransomware problem is still difficult to gauge as many don’t report infections, but some reports suggest the FBI has estimated over $200m in losses in Q1 alone – way more than the $24m figure ascribed to 2015.
In addition, DNS firm Infoblox claimed this week that it had observed a 35-fold increase in new ransomware domains in Q1 compared to the final three months of 2015.