Types header


Name CryptXXX
Type Crypto-ransomware
Short Description This ransomware encrypts the victim’s files and demands the victim a sum of ransom to be paid for retrieving those encrypted files. This ransomware uses TOR payment site, this is done inorder to remain anonymous so that the tracking of the attacker cannot be done.
Encryption RSA 4096 algorithm
Symptoms Some files become inaccessible.
Distribution Method Spam Email, Exploit kits
Image  CryptXXX
More Details

This ransomware is known in various names. This ransomware has many unique features the first version of this ransomware used the AES encryption later on the encryption method and many changes where done. This ransomware does not only encrypt files but also has the capacity of looting the bitcoins from the victim wallet and to collect the computer password.

Once this ransomware infiltrates the victim’s device this starts to scan the device targeting specific files, some of the files that are targeted by this ransomware are as given below.

CryptXXX 1.1

When the files are found they are encrypted using specific algorithm and the encrypted files extension are changed into .crypt format.

When the device is encrypted the ransomware will leave many ransom note in all the folder where the files are encrypted. Some of the ransom notes are as given below.

CryptXXX 1.2

The victim id is a special unique string that is associated with the device so that the attacker can sort it out easily.

These files are placed on the location where the files are encrypted. This ransomware demands the ransom to be paid within a certain time limit if the victim is not able to pay, then the data’s will remain encrypted forever.

It is said that this ransomware is written by the reveton author’s since these both have many things in common.

There are many similarities between Reveton and CryptXXX. Most notably,

Delphi programming language

Custom C&C protocol on TCP 443

Delayed start

DLL called with a custom entry function

dat file dropped in %AllUsersProfile% (For CryptXXX, it looks like code reuse as the file only contains the letter x)

Bitcoin and credential stealing functions