RANSOMWARE THREAT CRYPTXXX is now airborne, according to researchers at security firm Proofpoint, and is being sent out via a spam campaign to some effect.
Proofpoint explained in a blog post that CryptXXX is usually included alongside malware packages such as the Neutrino and Angler exploit kits.
“CryptXXX has rapidly grown into one of the most prevalent ransomware variants in the wild with widespread distribution via exploit kits such as Neutrino and Angler. As exploit kit traffic has declined (a 96 per cent decrease between April and June), though, particularly in the wake of Angler’s disappearance, threat actors normally reliant on exploit kits are diversifying and looking to other vectors like email,” said the firm.
“For the first time, Proofpoint researchers have observed CryptXXX ransomware being distributed via malicious document attachments in email campaigns. On July 14, Proofpoint researchers detected an email campaign with document attachments containing malicious macros. If opened, these attachments download and install CryptXXX ransomware.”
The security firm has provided an example of the type of email. It purports to be from a bank and includes an attached document that the recipient is urged to read. The attachment opens a document that claims to need more macros to display properly. Go for that, and the trouble starts.
“CryptXXX ransomware has propagated rapidly since appearing earlier this year. The ransomware was initially linked to groups associated with Angler and was distributed almost exclusively via Angler,” added the firm.
“As Angler activity dried up over this quarter, many actors turned to instances of the Neutrino exploit kit for distribution. Not surprisingly, with the disruption in the exploit kit market, it appears that CryptXXX actors are turning to email as well. We will continue to monitor this trend and see if malicious document-based distribution of CryptXXX expands in the coming months.”
There is perhaps some good news to report about ransomware, although it does rather fly in the face of advice suggesting that people should not pay ransom demands.
A study by Finnish security company F-Secure looked at five separate ransomware gangs and found that they were friendly, amicable to deal with and amenable on terms and payments.
“Crypto-ransomware criminals’ business model is, of course, encrypting your files and making you pay to have them decrypted so you can access them again. To help victims understand what has happened, and then navigate the unfamiliar process of paying in bitcoin, some [gangs] offer a ‘customer journey’ that could rival that of a legitimate small business,” F-Secure said.
“Websites that support several languages. Helpful FAQs. Convenient customer support forms so the victim can ask questions. And responsive customer service agents that quickly get back with replies.
“We think this is a pretty interesting paradox. Criminal nastiness, but on the other hand willingness to help ‘for your convenience’, as one [gang] put it.”
Ultimately, F-Secure urged people to prevent this happening to them and put in protective and preventive measures that can eliminate the threat. We think that there might be some software firms that can help consumers and businesses with this. F-Secure may be one of them.