News from SentinelOne today has announced a new variation of the CryptXXX Ransomware, which they’ve clocked earning over $50,000 in Bitcoin payouts for its proponents thus far.
As with other popular ransomware strains that have been improving with each iteration, the new CryptXXX is unbreakable by decryption tools and has already proven to be very successful in forcing ransom payments. Encryption flaws from old versions have been fixed, and the malware is now better at evading antivirus detection.
We sat down with Caleb Fenton, Senior Security Researcher at SentinelOne, to get the details on this new campaign and for his take on how organisations can adequately prepare for situations where this ransomware comes for their files.
ITSG: How does this variant CryptXXX differ from previous ransomware?
CF: Previous versions encrypted files incorrectly such that tools could remove the encryption, but this new version uses more robust encryption which may make it impossible for files to be decrypted. Other changes were made to avoid AV detection. Structurally they moved code around enough to where previous AV signatures were rendered useless.
ITSG: What is the most common method of this ransomware being deployed?
CF: It spreads through spam, though possibly other channels. We acquire binaries from various sources such as underground malware forums, and since we’re actively monitoring this family, we detected a sample which was similar but not identical to previous versions.
ITSG: Is ransomware here to stay, or will there come a day when it’s banished to history?
CF: Yes, for the simple reason that ransomware attacks are extremely successful today, and are relatively easy to launch. It does not require a great deal of sophistication on the part of the attacker, just access to the correct tools which can be purchased online or subscribed to in a RaaS environment.
ITSG: What will organisations need to do to combat this variant of CryptXXX?
CF: The reactive response is to maintain a disciplined backup strategy, and have an internal strategy for how you’ll get access to BitCoins in a short amount of time. The proactive response is to stop relying on static-based detection technologies. This version of CryptXXX is designed very specifically to take advantage of those weaknesses. It is best to look towards technologies that use more dynamic, behavioural-based detection.
ITSG: We all know we shouldn’t pay up, but what happens if we do?
CF: You get your data back, but in the process your incentivising an ‘industry’ to further invest in new variants. In order to stop this rise in ransomware attacks we need to make the cost to launch an attack prohibitive. This will in turn take the profit out of the industry. If there’s no profit the investment should decrease significantly.
So there you have it – looks like ransomware isn’t going anywhere fast so get backed up and don’t let your company get in the news for all the wrong reasons!
Caleb Fenton is Senior Security Researcher at SentinelOne.
