Toy maker Maisto’s website pushed growing CryptXXX ransomware threat

29.04.2016
Attackers are aggressively pushing a new file-encrypting ransomware program called CryptXXX by compromising websites, the latest victim being U.S. toy maker Maisto. Fortunately, there's a tool that can help users decrypt CryptXXX affected files for free.

Security researchers from Malwarebytes reported Thursday that maisto.com was infected with malicious JavaScript that loaded the Angler exploit kit. This is a Web-based attack tool that installs malware on users' computers by exploiting vulnerabilities in their browser plug-ins.

If the attack successfully exploits a browser vulnerability, it then installs a malware dropper called Bedep, which in turn installs the CryptXXX ransomware.

CryptXXX was first discovered last week by researchers from Proofpoint. In addition to encrypting user files on local drives and network shares, the malware also acts like an information-stealing Trojan. It steals saved log-in credentials from browsers, instant messaging applications, FTP clients and email clients.

It also steals bitcoins from local wallets, a double hit to victims, because it then asks for the equivalent of $500 in bitcoins in order to decrypt their files.

Maisto.com is not the only recently compromised website that has been used to distribute CryptXXX. Researchers from Palo Alto Networks have observed a large attack campaign using the Angler-Bedep-CryptXXX combo since mid April.

The attackers behind that campaign had previously used the Nuclear exploit kit to deliver Locky, a different ransomware program.

"CryptXXX is now the default ransomware deployed in at least two major exploit kit campaigns and should be considered a growing cybersecurity threat," the Palo Alto researchers said in a blog post.

The good news is that the current version of CryptXXX seems to have a weakness in its encryption implementation. Researchers from antivirus firm Kaspersky Lab recently updated their ransomware decryption tool to add support for CryptXXX affected files.

While that tool works for now, it's likely that the malware's creators will eventually figure out their error and fix it. Therefore, users should focus on prevention rather than remediation.

They should keep all of their software programs, and especially browser plug-ins like Java, Flash Player and Silverlight, up to date. They should also regularly back up their files to an external location that's not always accessible from the computer. Locally mapped network shares are not a good idea, because ransomware programs target those too.

Lucian Constantin

Zur Startseite