SentinelOne, a security company, found that the latest version of CryptXXX is more robust and tougher to decrypt than previous iterations. These changes have apparently paid off for the crooks, who reportedly received about 70 Bitcoins in their Bitcoin wallet since June 4. As of this writing, that’s worth just over $45,000.
The firm notes that the people behind the scheme quickly moved the funds from this address, which was active from June 4-21.
It’s likely that they are using a Bitcoin tumbler, which obscures the details of the next wallet, to cover their tracks. They’ve also probably started using a new wallet since then to avoid any possible detection.
“With this kind of success, it’s likely we’ll continue to see this family and other ransomware families continue to grow and evolve,” said SentinelOne’s Caleb Fenton in a blog post.
There’s been a sort of cat-and-mouse game between ransomware creators and security companies. Kaspersky Lab recently released a decryptor software tool for users to decrypt their files free of charge, rather than pay the ransom, if they got infected by CryptXXX. The ransom is typically a couple of hundred dollars a pop.
Once this free tool was released, it forced the cybercriminals to rework their code so the encryption couldn’t be so easily broken. Then the vicious cycle continued when Kaspersky updated its own software. Now this latest version of CryptXXX once again skirts the power of the decryptor tool.
The new version also has a feature built-in that prevents retrieving backups; it does, for some reason, allow the victim to decrypt one file for free with a 512KB cap.
“This is a good idea from a psychological standpoint since the malware authors know that people are more likely to pay for something if they know that it will work,” said Fenton.
There have been previous cases of shoddily-coded ransomware variants out there that not even the authors have been able to crack after their victims have coughed up the Bitcoins.
