Chapter 9. CryptXXX

The CryptXXX ransomware first appeared at the end of March 2016 and quickly grew into one of the most popular ransomware families delivered via exploit kit. Currently, CryptXXX is primarily delivered via web exploitation kits using compromised websites and malware-infected advertisements.

It was first reported on by researchers at Proofpoint in conjunction with Frank Ruiz from Fox IT InTELL.1 The team behind CryptXXX made extensive use of the Angler exploit kit using the Bedep loader for earlier versions but, with the demise of Angler, moved on to other exploit kits in recent versions.

CryptXXX is also unique in that earlier versions of CryptXXX were delivered in DLL format rather than as an executable. Running the ransomware as a DLL instead of a PE often allows the CryptXXX family to bypass traditional antivirus solutions because the DLL will make calls to legitimate Windows system executables on the victim machine. Unless the antivirus program knows to look for suspicious DLL activity, CryptXXX will remain undetected until the encryption process is complete and the ransom note pops up.

CryptXXX is now primarily delivered via the Neutrino exploit kit, which targets vulnerabilities in three different Windows applications:

  • Adobe Flash
  • Microsoft Silverlight
  • Java and Java Runtime Environment (JRE)

CryptXXX also does more than just encrypt the files on a victim machine. Because the initial deployments used the Angler exploit kit and Bedep Loader, the CryptXXX ...

Get Ransomware now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.