[22nd December 2016]

Much excitement in the media about CryptXXX’s ‘Christmas discount’. E.g. from Forcepoint. Probably of more significance is the fact that Kaspersky have once more been able to update their Rannoh decryptor to handle CryptXXX version 3. Available from directly from Kaspersky or from

Commentary from The Register – Don’t pay up to decrypt – cure found for CryptXXX ransomware, again – and from SC Media, in an article with some interesting commentary from industry stalwarts such as Anton Ivanov and Paul Ducklin, even though most of the story is about the ‘discount’.

[18th August 2016]

Josh Reynolds for CISCO: CryptXXX Technical Deep Dive

[22nd July 2016]

David Bisson for Graham Cluley: SoakSoak using compromised websites to spread CryptXXX ransomware – Sometimes all it takes is vulnerable software or application plugins.

[15th July 2016]

Lawrence Abrams for Bleeping Computer: CryptXXX providing free keys for .Crypz and .Cryp1 Versions. Discusses the curious case of victims being given decryption keys for free.

[20th June 2016]: Is Angler EK Sleeping with the Fishes? Neutrino exploit kit now distributing most CryptXXX

[Added 13th June 2016]

SC Magazine: Hackers shift to Neutrino exploit kit to spread CryptXXX ransomware

[Added 6th June 2016]

More developments in the CryptXXX saga with extensive analysis by Proofpoint: CryptXXX Ransomware Learns the Samba, Other New Tricks With Version 3.100

Summary/commentary by Catalin Cimpanu for Softpedia: CryptXXX Ransomware Will Now Steal Your Passwords as Well subtitled ‘CryptXXX ransomware adds infostealer module’

Commentary by Darren Pauli for The Register: CryptXXX ransomware improves security, GUI, slurps Cisco creds – Net scum have figured out that crims like meaty upgrades on a short release cycle

Though there’s no current decryptor, a check of VirusTotal suggests that detection by security products is currently pretty strong.

[Added 25th May 2016]

On May 24th 2016, the CryptXXX situation took a turn for the worse. Lawrence Abrams reported for Bleeping Computer that CryptXXX version 3.0 not only prevented Kaspersky’s RannohDecryptor from enabling victims to decrypt their files for free, but also had the (presumably unintended) effect of breaking the criminals’ own decryption key. In other words, even paying the ransom doesn’t, at the time of writing, guarantee that you’ll get a working decryptor. When a ransomware gang screws up, it doesn’t always work to the benefit of the victim.

Bleeping Computer has some resources specific to CryptXXX: CryptXXX Support & Help Topic; the CryptXXX Ransomware Help, Information Guide, and FAQ.


Proofpoint’s analysis of malware they call CryptXXX can be found here: CryptXXX: New Ransomware From the Actors Behind Reveton, Dropping Via Angler. Proofpoint observes that it has seen ‘an Angler EK into Bedep pass pushing both a ransomware payload and Dridex 222.’

Kaspersky’s RannohDecryptor, originally developed to counter the Rannoh ransomware, has been tweaked to offer decryption of CryptXXX. In order to effect the encryption, the victim must have access to the original unencrypted version of one of at least one of the encrypted files. The decryptor is also claimed to work with the malware that Kaspersky calls Trojan-Ransom.Win32.AutoIt, Trojan-Ransom.Win32.Fury, Trojan-Ransom.Win32.Crybola, and Trojan-Ransom.Win32.Cryakl. Unfortunately, CryptXXXversion 2.0 kills the effectiveness of that decryptor for that particular ransomware.

For Help Net Security, Zeljka Zorz reports that CryptoXXX version 2.0 bypasses Kaspersky’s decryption tool and locks the screen after it pops up its ransom message, .

  • Commentary from Proofpoint
  • Commentary from David Bisson for Graham Cluley’s blog, pointing out that the victim is forced to use a different system even if they decide to pay the ransom.

Nick Bilogorskiy for Cyphort describes how celebrity gossip site PerezHilton has been targeted by malvertising and used to deliver CryptoXXX and other malware via Angler and another exploit kit: Malvertising on Pace for a Record-Breaking Year. Commentary by Darren Pauli for The Register: Prince of pop trash PerezHilton pwned, visitors hit with cryptxxx – Some of Hollywood hack’s 500k visitors smashed with Angler, ransomware combo. And by David Bisson for Graham Cluley’s blog: Perez Hilton website visitors hit by two malvertising attacks in same week No wonder adblockers are on the rise…

[May 18th] On May 13th, Kaspersky announced that it had updated its decryption tool RannohDecryptor to work with CryptoXXX 2.0. While the decryption process can be pretty lengthy, it seems from the Kaspersky announcement that the updated version doesn’t need an unencrypted original file for reference, which presumably alleviates the size restriction issue flagged with the earlier version. As Lucian Constantin points out, however:

While it’s great that ransomware authors sometimes make mistakes that allow security researchers to help users recover their files for free, this is usually short-lived. Sooner or later the malware creators figure out their errors and fix them.

David Harley