Tag Archives: CryptoXXX

Ransomware update


I haven’t checked out Troy Hunt’s Introduction to Ransomware video for Varonis yet myself. If I can find time to, I’ll report back here. But I’d be surprised if it turned out to be useless. 🙂 It is apparently free, and you can watch three of the eight lessons before deciding whether to register.


For Help Net Security, Zeljka Zorz reports that CryptoXXX version 2.0 bypasses Kaspersky’s decryption tool and locks the screen after it pops up its ransom message, .

  • Commentary from Proofpoint
  • Commentary from David Bisson for Graham Cluley’s blog, pointing out that the victim is forced to use a different system even if they decide to pay the ransom.

Nick Bilogorskiy for Cyphort describes how celebrity gossip site PerezHilton has been targeted by malvertising and used to deliver CryptoXXX and other malware via Angler and another exploit kit: Malvertising on Pace for a Record-Breaking Year. Commentary by Darren Pauli for The Register: Prince of pop trash PerezHilton pwned, visitors hit with cryptxxx – Some of Hollywood hack’s 500k visitors smashed with Angler, ransomware combo. And by David Bisson for Graham Cluley’s blog: Perez Hilton website visitors hit by two malvertising attacks in same weekNo wonder adblockers are on the rise…


Unit 42’s document Unlocking the lucrative criminal business model is a reasonable overview of the ransomware issue generally. Palo Alto’s Ryan Olson announced it here: Ransomware Is Not a “Malware Problem” – It’s a Criminal Business Model. OK, but actually most malware nowadays conforms to a business model…


Ransomware is not a static landscape, as item (2) above indicates. One of the reasons I have tried not to oversell the Specific Ransomware Families and Types is that I can’t guarantee that it’s up to date at all times, even on the limited range of ransomware it covers. In the same way, the information in the Google spreadsheet here may also become outdated, but it does seem to have a number of potential contributors to help maintain it. On the other hand, that might actually mean that it remains partial because it favours the resources with which the contributors are associated, and while I’ve seen it suggested that it covers all ransomware, that’s just wishful thinking.

Nonetheless, it could certainly be useful as a starting point when looking for information, but I’d suggest that you don’t assume that it is authoritative.


Information from Bleeping Computer on Enigma (the ransomware, not the WW2 machine): The Enigma Ransomware targets Russian Speaking Users. While it appears to try to delete Shadow Volume Copies, it seems it doesn’t always succeed: if this is the case for you, this may help.

David Harley