Malware

CrypMIC ransomware is a CryptXXX copycat, with a few twists

CryptXXX ransomware has a doppelganger.

It's called CrypMIC. And its close resemblance to CryptXXX, the ransomware that's been taking the world by storm since April 2016, doesn't appear to be a coincidence. According to Trend Micro, whose researchers found the malicious code, the most likely scenario is that its makers are looking to cash in on the success of CryptXXX by copying many of its most appealing features. 

"On the face of it, this would seem to indicate it's a separate group that is building off of CryptXXX and improving on it,” said Christopher Budd, Trend Micro's global threats communications manager, in an email interview with SCMagazine.com. But CrypMIC is no poser – it has a few original tricks up its own sleeve too.

First, their commonalities: CryptXXX and CrypMIC both spread through compromised websites and malvertising sites via the Neutrino Exploit Kit. Trend Micro said it found Neutrino interchangeably alternating distribution of the two malwares between July 6 and 14.

The two malwares also do more than just encrypt files – they can steal data and credentials from a series of programs. And they present similar content in their ransom notes and payment-site user interfaces. 

CrypMIC and CryptXXX can both also encrypt files on removable and network drives, although the former can only encrypt network shares if they have already been mapped to a drive, the blog post explains. 

Despite these similarities, CrypMIC and CryptXXX have different source codes – and upon closer inspection, other differences also begin to emerge. Trend Micro notes that unlike its predecessor, CrypMIC does not add an extension name to encrypted files, “making it trickier to determine which files have been held in ransom.”

CrypMIC also stands apart in that it checks for virtual machine environments and sends that information to its command-and-control server. And it uses AES-256 encryption instead of a combination of RSA and RC4, like CRyptXXX.

“Right now, CrypMIC is showing some techniques that are more sophisticated like stronger encryption, [and] more challenging obfuscation techniques,” stated Budd.

“But taking a step back, the bigger, more critical story is that ransomware as a class is changing and evolving quickly,” he continued. “It and exploit kits are showing what happens when malware authors are in competition with one another: regular people lose and suffer.”

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.