The newest version of CryptXXX ransomware has incorporated a credential-stealing module into its ever-growing bag of tricks.
On Wednesday, SaaS and email security provider Proofpoint published a blog post about CryptXXX version 3.100.
One of the most significant updates Proofpoint’s researchers observed was the addition of a module that is capable of stealing victims’ passwords:
“In order to further monetize the infections, CryptXXX downloads a DLL which acts as a credential stealing module. Internally referenced as ‘stiller.dll’, ‘stillerx.dll’ and ‘stillerzzz.dll’, this DLL works as a plugin, but can also be used as a standalone stealer…. StillerX appears to be fully-featured and targets the credentials of a wide range of applications from poker software to Cisco VPN credentials.”
The research team also detected scanning activity on port 445, which CryptXXX can use to find and encrypt shared resources on a network.
Proofpoint originally spotted the first version of CryptXXX back in April.
Dropped by both the Angler exploit kit and Bedep malware, CryptXXX appends the .CRYPT extension onto each file it encrypts and demands that a victim pays US$500 for the decryption key. If the victim fails to do so within a few days, the ransomware doubles its demands to US$1,000.
Researchers at Kaspersky Lab made quick work of CryptXXX just a few weeks after its discovery by creating a free decryption tool. When malware developers updated the ransomware with a new lock screen about two weeks later, Kaspersky quickly modified its utility to reflect that change.
Kaspersky’s tool currently does not work for victims of CryptXXX 3.100. But it’s likely only a matter of time before researchers update their tool once again.
To help protect against ransomware infections, users should avoid clicking on suspicious links and email attachments, install an anti-virus solution on their computers, and implement all software updates as soon as they become available.
For more ransomware prevention tips, please click here.
You can also learn more about ransomware in general here.