For the first time ever, CryptXXX ransomware is being distributed via malicious document attachments in email campaigns.
Proofpoint researchers said the malware was initially spread via the Angler and Neutrino exploit kits (EKs), but in the wake of Angler's disappearance the threat actors normally reliant on that EK are turning to attack vectors like email, according to a July 14 blog post.
Proofpoint spotted an spam campaign using documents containing malicious macros that, if opened, would download and install CryptXXX ransomware.
“The messages in this campaign had the subjects "Security Breach - Security Report #123456789” with attachments such as "info12.doc" or "i_nf012.doc," researchers said in the post.
Researchers believe the ransomware is in active development and has possibly split off into two branches with the original branch now up to version 5.001 and the newer branch using a different format for versioning, the post said.