{"id":19445,"date":"2016-07-22T11:13:42","date_gmt":"2016-07-22T17:13:42","guid":{"rendered":"https://www.webroot.com/blog/?p=19445"},"modified":"2018-01-30T11:56:52","modified_gmt":"2018-01-30T18:56:52","slug":"cryptxxx-utilizes-new-exploit-kit","status":"publish","type":"post","link":"https://www.webroot.com/blog/2016\/07\/22\/cryptxxx-utilizes-new-exploit-kit\/","title":{"rendered":"CryptXXX now looking to Neutrino for exploit support"},"content":{"rendered":"

When it comes to drive-by attacks, CryptXXX is king. In fact, out of all the exploit kits dropping payloads on\u00a0victims, 80% result in CryptXXX. The creators attacked vulnerabilities in Flash Player, Java and Silver Light through\u00a0using the Angler exploit kit, with malvertising helping boost their success. The malware authors were able to generate $3 Million per month almost exclusively from ransomware.<\/p>\n

But\u00a0how exactly does malingering work? In a nutshell, cyber criminals submit booby trapped advertisements to ad networks for a real-time bidding process. Malicious ads then rotate in with normal ads on legitimate, highly reputable sites. Users then visit these site and click on an infected ad. An invisible iframe injection then redirects the user to the exploit landing page, where a payload is then dropped. Here’s an example:<\/p>\n

\"Picture1\"<\/a><\/p>\n

Since\u00a0Angler was shut down earlier last month,\u00a0CryptXXX was presumed to also die with it. However, it’s taken new life with the Neutrino exploit kit, and can now exploit out of plugins like WordPress. Here’s how this looks:<\/p>\n

\"Picture2\"<\/a><\/p>\n

Once a user is unlucky enough to click an infected ad, a ransomware payload is dropped and they become the victim. Here are\u00a0the instructions that are presented to victims. Pictured\u00a0below, they are presented\u00a0the form of a desktop background:<\/p>\n

\"desktop\"<\/a><\/p>\n

Once a user’s files are encrypted, the steps are the same as most ransomware – install a layered tor browser, then pay the ransom using bitcoins. This variant specifically only<\/em>\u00a0asks for 1.2 bitcoins ($800), which is the most ‘mild’ demand of recent ransomware variants, but the amount\u00a0will double after 5 days if the ransom isn’t paid. It is worth noting that other sites have offered free decryptors for this malware, but they seldom last longer than a few days before the malware authors change it up yet again.<\/p>\n

Webroot will catch this specific variant in real time before any encryption takes place. We\u2019re always on the lookout for new and updated ransomware threats, but just in case of new zero-day variants, remember that with encrypting ransomware, the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Keeping it up to date is key so as not to lose productivity. Webroot has backup features built into our consumer product that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero-day variant of encrypting ransomware, you can just restore your files back as we save a snapshot history for each of your files up to ten previous copies. Please see our community post<\/a> on best practices for securing your environment against encrypting ransomware.<\/p>\n

MD5 analyzed<\/p>\n

75EF6891AE7214AD17679CB88DC3B795<\/p>\n

7BB58C27B807D0DE43DE40178CA30154<\/p>\n

05825F3C10CE814CE5ED4AE8A74E91A2<\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

When it comes to drive-by attacks, CryptXXX is king. In fact, out of all the exploit kits dropping payloads on\u00a0victims, 80% result in CryptXXX. The creators attacked vulnerabilities in Flash Player, Java and Silver Light through\u00a0using the Angler exploit kit, with malvertising helping boost their success. The malware authors were able to generate $3 Million […]<\/p>\n","protected":false},"author":21,"featured_media":17600,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[4051,4429,19837,4671,19821,5443,5435,4905,4911,3483,3487,19835,6519,3477,4661,3937,3471,5439,3989,3525],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/19445"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/21"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=19445"}],"version-history":[{"count":5,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/19445\/revisions"}],"predecessor-version":[{"id":19473,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/19445\/revisions\/19473"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17600"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=19445"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=19445"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=19445"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=19445"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}