Reg comments45

Don't pay up to decrypt – cure found for CryptXXX ransomware, again

Back to the drawing board, boys

Liam Neeson Taken

It's third time unlucky for the scumbags behind CryptXXX ransomware, as their shoddy coding has been cracked yet again.

CryptXXX is a particularly nasty form of the species – a ransomware app that not only encrypts over 40 file formats on a host PC and any external storage devices, but also steals any Bitcoins it can find on there and demands a hefty ransom for a cure.

It first popped up in April as part of a malware bundle being pushed out by the Angler exploit kit. Then researchers at Kaspersky Lab found a cock-up in the file encryption algorithms that made it easy to beat, and released sanitizing software.

In May, the CryptXXX coders tried again with a revised version that added a time delay so that the victim, and security researchers, wouldn't identify the malware-spewing source. But they didn't cover their tracks well and Kaspersky cracked it again.

By June the crims made another attempt, and the third version proved a much tougher proposition. That build toughened up its encryption techniques and added a StillerX credential-stealing module, which scanned port 445 for VPN, email, and online poker sign-ins.

Infection rates soared, as did the amount of money the ransomware brought in because people were paying up. Now the new version has been cracked and the tool to get your files back – although sadly not your Bitcoins – is available online.

"Even if there is currently no decryption tool available for the version of malware that encrypted your files, please don't pay the ransom to criminals," said Anton Ivanov, a security researcher at Kaspersky Lab. "Save the corrupt files and be patient – the probability of a decryption tool emerging in the near future is high."

The fact remains that this is a very small win in a broader battle that looks set to plague us for years to come because of technical and human failings.

Tech industry, meet stable door

Ransomware has been around for ages, but the tech industry didn't take it seriously because it wasn't widespread and getting payment for the infection was difficult and liable to get the malware creators – or more likely their money mules – collared.

However, with the rise of online currencies, the risk/reward ratio for ransomware changed drastically in the malware market's favor. In the last three years, infection rates have been exploding and the amount of easy money generated is enough incentive to keep ransomware a growth industry – mainly because people keep ponying up the funds.

Research last week from IBM's X-Force security team chatted to 600 business customers and found 70 per cent of them had paid ransomware spreaders to get their data back. Over half paid $10,000 in ransom and one in five coughed up over $40,000 for the keys to their data.

Ransom payment was much less common among consumers, the same study found. Around half of the 1,000 people polled said they'd pay up to get their data back, but were very price sensitive about it. Barely a third said they'd pay more than $100 for the cure to the malware.

In July Europol and Dutch National Police launched the No More Ransom project to combat this particular form of nastiness with tech partners like Intel and Kaspersky. Now more than 30 groups, including national CERTS, a greater variety of security firms, and volunteers are trying to find a cure for the problem.

It's going to be a long, hard slog, if it's possible at all. But the more people pay, the bigger the problem will become.

The answer isn't difficult to implement – make frequent and regular backups. Traditionally that's been something your average Joe hasn't been very good at, but there's no excuse for businesses not having the right secure storage systems in place. ®

Sign up to our Newsletter

Get IT in your inbox daily

Biting the hand that feeds IT © 1998–2017