A previously undocumented ransomware, dubbed CryptXXX, which has been spreading through Bedep once the Angler Exploit Kit infects systems, is the work of the same group behind Reveton ransomware, according to a blog post penned by the Proofpoint researchers who discovered CryptXXX.
The researchers noted that they were able to connect the CryptXXX – which “is currently asking a relatively high $500 per computer to unlock encrypted files” – to Reveton after Frank Ruiz (Fox IT InTELL) shared intelligence with them. The two ransomwares share a number of attributes including Delphi programming language, custom C&C protocol on TCP 443, delayed start, DLL called with a custom entry function, dat file dropped in %AllUsersProfile% (For CryptXXX, it looks like code reuse as the file only contains the letter x) and Bitcoin- and credential-stealing functions.
Proofpoint observed “an Angler EK into Bedep pass pushing both a ransonware payload and Dridex 22” on April 15, according to the blog post. CryptXXX creates three types of files similar to those used by ransomware such as Locky, Teslacrypt, and Cryptowall to notify victims that they've been infected and must pay a ransom to get their files decrypted.
While at first the researchers couldn't find a connection between CryptXXX and other ransomware, they eventually ran across a forum where victims had reported similar infections on March 31 and established a link to the bad actors behind Reveton.
They observed in four different infections that CryptoXXX was being shipped as a DLL that Bedep dropped into folders. The start of the DLL, which was in many cases spotted being executed with the function “Working,” is, in fact, “randomly delayed,” the researchers wrote, explaining that “the main advantage of this delay from a threat actor's perspective is that the victim won't be able to easily connect it to the infection vector (that is, to the compromised or malvertised website).”
CryptoXXX eludes detection through anti-VM and anti-analysis functions, such as checking CPU names in the Registry and installing “a hook procedure to monitor for mouse events,” the blog post said. “When the ransomware actually executes, it encrypts files and adds a .crypt extension to the filename.”
Unlike other ransomware “written and/or distributed by less experienced actors” that failed to gain traction, the researchers said that “given Reveton's long history of successful and large-scale malware distribution, we expect CryptXXX to become widespread.”