CryptXXX has quickly become one of the main strains of ransomware, although until recent times infection was only possible via malicious websites. Now I.T. experts Proofpoint have discovered CryptXXX ransomware emails. The group behind the attacks have created a new attack vector. CryptXXX ransomware emails include a Word document containing a malicious macro. If the macro is permitted to run it will load a VB script into the memory which will use Powershell to make contact with the attackers’ command and control server. Once a connection has been established, CryptXXX will be installed onto the victim’s computer. Authors have realized the benefits to be obtained from implementing an affiliate model to help infect machines and now a number of new players have joined the ransomware market.

If a “ransomware kit” is supplied, individuals with little hacking expertise can carry out own ransomware campaigns. The ransomware authors can charge a nominal amount for supplying the kit, and can also take a share on the back end. When an affiliate infects a computer and a ransom is given, the authors receive a cut of the payment. This model works well and there is no shortage of hackers willing to try their hand at running ransomware campaigns. The CryptXXX ransomware emails are being shared by an affiliate (ID U000022) according to Proofpoint.

Spotting CryptXXX Ransomware Emails

The CryptXXX ransomware emails are being transmitted with a subject line of “Security Breach – Security Report #Randomnumber.” The emails include only basic details about a supposed security breach that has happened. The security report is sent as an attached Word document. The body of the email includes the date, time of the attack, the provider, location, IP address, and port. The email recipient is told to open the file attachment to view details of the attack and find out about the actions that should be implemented.

The file attachment titled like “info12.doc” according to Proofpoint. If the attached Word file is downloaded, a Microsoft Office logo is displayed. The user is told that the document has been created in a newer version of Microsoft Office. The content of the document will only be shown if macros are enabled. Enabling the macros will lead to the VB script being loaded. Then ransomware will then be installed and users’ files encrypted.

There is no remedy action if files are encrypted. The victim must pay the ransom or lose their files. Once an infection has taken place, files can only be rescued from backups if the victim does not pay the ransom requested.

CryptXXX Ransomware Still Being Sent by Neutrino

Since the demise of the Angler exploit kit, CryptXXX was transferred to Neutrino. There was a dramatic drop in infections as activity temporarily stopped; however, Invincea recently reported a surge in activity via compromised company websites. The SoakSoak botnet is being implemented to scan the Internet for vulnerable websites. The websites being hit run the WordPress Revslider slideshow plugin. Scripts are appended to the slideshow that send visitors to a malicious site including Neutrino.

CryptXXX will only be installed if the endpoint lacks specific security tools that would detect an installation. If Wireshark, ESET, VMware, Fiddler, or a Flash debugging utility is present, the ransomware will not be installed.