CrypMIC ransomware is a CryptXXX copycat, with a few twists

The newly discovered CrypMIC shares much in common with fellow ransomware CryptXXX, including its affiliation with the Neutrino Exploit Kit.
The newly discovered CrypMIC shares much in common with fellow ransomware CryptXXX, including its affiliation with the Neutrino Exploit Kit.

CryptXXX ransomware has a doppelganger.

It's called CrypMIC. And its close resemblance to CryptXXX, the ransomware that's been taking the world by storm since April 2016, doesn't appear to be a coincidence. According to Trend Micro, whose researchers found the malicious code, the most likely scenario is that its makers are looking to cash in on the success of CryptXXX by copying many of its most appealing features. 

"On the face of it, this would seem to indicate it's a separate group that is building off of CryptXXX and improving on it,” said Christopher Budd, Trend Micro's global threats communications manager, in an email interview with SCMagazine.com. But CrypMIC is no poser – it has a few original tricks up its own sleeve too.

First, their commonalities: CryptXXX and CrypMIC both spread through compromised websites and malvertising sites via the Neutrino Exploit Kit. Trend Micro said it found Neutrino interchangeably alternating distribution of the two malwares between July 6 and 14.

The two malwares also do more than just encrypt files – they can steal data and credentials from a series of programs. And they present similar content in their ransom notes and payment-site user interfaces. 

CrypMIC and CryptXXX can both also encrypt files on removable and network drives, although the former can only encrypt network shares if they have already been mapped to a drive, the blog post explains. 

Despite these similarities, CrypMIC and CryptXXX have different source codes – and upon closer inspection, other differences also begin to emerge. Trend Micro notes that unlike its predecessor, CrypMIC does not add an extension name to encrypted files, “making it trickier to determine which files have been held in ransom.”

CrypMIC also stands apart in that it checks for virtual machine environments and sends that information to its command-and-control server. And it uses AES-256 encryption instead of a combination of RSA and RC4, like CRyptXXX.

“Right now, CrypMIC is showing some techniques that are more sophisticated like stronger encryption, [and] more challenging obfuscation techniques,” stated Budd.

“But taking a step back, the bigger, more critical story is that ransomware as a class is changing and evolving quickly,” he continued. “It and exploit kits are showing what happens when malware authors are in competition with one another: regular people lose and suffer.”

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS