14 DAY TRIAL // UPDATE: Kaspersky researchers have released a free decrypter for CryptXXX 2.0 as well.
CryptXXX, one of the most recent ransomware families discovered, has seen a major update, and besides circumventing a free decryption tool released by Kaspersky, the ransomware now also prevents users from accessing their files altogether.
CryptXXX first spotted in mid-April and was detected by security firm Proofpoint. The ransomware worked just like any other crypto-ransomware on the market today, meaning it would infect targets via malvertising, encrypt their files, and ask for a ransom.
Users had full access to their computers, except to the encrypted files. They could still use the "same computer" to go online, buy Bitcoin, and pay the ransom.
Researchers discover CryptXXX 2.0
Things took a positive turn for CryptXXX victims only a week after the ransomware was first spotted, when Kaspersky released an update to their RannohDecryptor that included the ability to analyze and crack CryptXXX's encryption.
This modification allowed CryptXXX victims to download Kaspersky's decrypter and run it instead of going online and paying the ransom.
Almost two weeks after the Kaspersky released its free decrypter, Proofpoint is now reporting on the emergence of CryptXXX version 2 (2.006 to be more exactly) which includes updates that defeat the decrypter.
But that's not all, users infected with CryptXXX 2 won't even be able to go online anymore, because CryptXXX's authors have decided to lock the user's entire screen altogether, like in the good ol' days of screen-locking ransomware.
That means users will have to use another computer to go online to buy Bitcoin and pay the ransom.
CryptXXX still delivered mainly via malvertising
As for its distribution, Proofpoint still says the crooks behind it prefer malvertising campaigns, malicious ads on legitimate websites, which redirected users to pages hosting the Angler exploit kit, that deliver the ransomware directly, or via an intermediary malware called Bedep.
"CryptXXX is being actively maintained: we have seen it evolve multiple times since our initial discovery, but the changes did not appear significant enough to be mentioned," the Proofpoint team explained on its site. "As expected, the number of actors spreading it has increased, making it one of the most commonly seen ransomware families. Globally, we have observed several primary threat actors transitioning from Teslacrypt/Locky to CryptXXX/Cerber in the driveby landscape in recent weeks."
As it stands today, because CryptXXX uses malvertising on a regular basis, it may be a good time to look into installing an ad blocker in your browser. On a side note, Adblock Plus, the world's most popular ad blocker announced yesterday it surpassed 100 million active users and 500 million downloads.