The crypto malware terrain seems to be already saturated with a myriad of devastating samples, some of which are copycats of others, and some exhibit unique malicious characteristics. Despite this ostensible congestion, new strains are emerging virtually every week, which obviously proves how high the extortionists’ return on investment is. A recent one dubbed CryptXXX stands out from the crowd, because it poses a twofold risk to every Windows users who falls victim to it. Its impact includes both the standard ransomware-specific file encryption and a number of data theft mechanisms. By going above the beyond the commonplace file encoding tactics, this infection can literally pilfer Bitcoins stored on the targeted computer’s hard disk and obtain its victims’ personally identifiable data.
The contaminated users won’t bump into the CryptXXX name as such in the course of this cyber assault. This denomination has been assigned to this particular pest by malware researchers who analyzed the appropriate code. The thing is, the XXX part denotes an ill-famed exploit kit also known as Angler, which is heavily used by the ransomware operators to execute their dangerous program on computers.
A lot of the attack incidents were preceded by users watching a streaming video on some popular media sites. This is, obviously, not a coincidence – the criminals had compromised these web pages and furtively embedded a script pointing to the Angler exploit kit. Consequently, every website visitor runs the risk of catching the ransomware as long as they have outdated software on their machine, hence security vulnerabilities. This sort of a contamination routine isn’t perceptible to the naked eye, which explains why people only find out they are infected when too much harm has been already done.
Whereas the victims won’t see any mentions of CryptXXX proper on the ransomware warning messages, what they will definitely witness is the file mutilations and ransom instructions. The trojan commences its attack by identifying personal files on local HDD volumes as well as external media and network shares. It encrypts every such entity with unbreakable RSA-4096 cryptography and concatenates the .crypt extension to the filenames. To explain the user how to go about the predicament, CryptXXX creates 3 different documents holding step-by-step ransom directions. These are de_crypt_readme.html, de_crypt_readme.txt, and de_crypt_readme.bmp. The latter one is forcibly set as the desktop background. By the way, the process of encrypting data on storage devices that are plugged into the workstation takes place a while after the virus has ciphered the files kept locally. This is most likely an attempt to obfuscate the specific web page that became an entry point for the infection.
The malefactors demand that the user hand over 500 USD to recover all the .crypt files. This amount is to be submitted in Bitcoins (about 1.2 BTC) over a Tor website titled the Decrypt Service. But once again, that’s not the only price that the victims may have to pay – their privacy is at stake as well. The CryptXXX .crypt ransomware gets enough privileges on the system to harvest private documents and even mine Bitcoins if any. To mitigate the damage and revive the hostage data, users should stick to the best practices of ransomware troubleshooting.
This is an exclusively efficient method for taking care of malware overall and ransomware threats in particular. The use of a reputable security suite ensures scrupulous detection of all virus components and a complete removal thereof in a single click. Be advised, though, that uninstalling this infection and recovering your files are two different things, but the need to remove the pest is indisputable as it has been reported to promote other trojans while operating.
It has been mentioned that the CryptXXX ransomware applies strong crypto to render files inaccessible, so there’s no magic wand that restores all of the encrypted data in the blink of an eye, except of course submitting the unthinkable ransom. There do exist techniques, though, which can lend you a helping hand in recovering the important stuff – learn what those are.
Automatic file recovery software
It’s kind of interesting to know that this infection erases the original files in an unencrypted form. It’s the copies that undergo the ransomware’s crypto processing. So tools like Data Recovery Pro can restore the deleted objects even if they got removed in a secure way. This workaround is definitely worthwhile as it proved to be fairly effective.
Shadow Volume Copies
This approach relies on the native Windows backup of files on the computer, which is conducted at each restore point. There is an important condition to this method: it works if the System Restore feature was toggled on before the contamination. Also, if changes were made to a file after the most recent restore point, they won’t be reflected in the recovered file version.
The Properties dialog for random files has a tab called Previous Versions. That’s where the backed up versions are displayed and can be recovered from. So right-click on a file, go to Properties, hit the above-mentioned tab and select the Copy or Restore option, depending on the location you would like it recovered to.
The above process can be automated with a tool called Shadow Explorer. It basically does the same thing (retrieving Shadow Volume Copies), but in a more convenient way. So download and install the application, run it and browse to files and folders whose previous versions you wish to be restored. To get the job done, right-click on any of the entries and select the Export feature.
Out of all the options that aren’t ransom-related, this one is the most optimal. In the event you had been backing up your information to an external server before the ransomware hit your PC, restoring the files encrypted by CryptXXX malware is as simple as logging into the respective interface, selecting the right files and initiating the restore transaction proper. Before you do so, however, be sure to completely remove the ransomware from your computer.
In case you chose to stick to the manual cleanup technique, some fragments of the ransomware may have stayed as obfuscated objects in the operating system or registry entries. To make sure there are no malicious components of the threat left, have your computer scanned with a reliable malware security suite.