Also known as UltraCrypter, CryptXXX is one of the active ransomware families currently in the wild. Last June we reported CryptXXX as a malware payload originating from a compromised anime site that silently redirected to the Neutrino Exploit Kit. Upon infecting a system CryptXXX displays multiple ransom notes, such as the following:

As we reported previously CryptXXX asks for a ransom payment of 1.2 Bitcoin (BTC) from the victims. New victims, however, are currently offered a Christmas discount through a pop-up window upon visiting one of the Tor-based payment sites. The pop-up advertises a reduced 0.5 BTC ransom price, which is roughly 395 USD at the current exchange rate.

Upon closing the pop-up the standard payment page is then displayed where the victim can pay the discounted amount.

Protection statement

Forcepoint customers are protected against this threat via TRITON® ACE at the following stages of attack:

Stage 4 (Exploit Kit) - Exploit Kit landing pages that may install CryptXXX are detected and blocked.

Stage 5 (Dropper File) - CryptXXX binaries are prevented from being downloaded to the target machine.

Conclusion

While paying a discounted ransom amount may be tempting, it is important to keep in mind that paying ransom has the adverse effect of motivating cyber criminals to continue such malicious activities. Alternatively we can reduce the chances of being a ransomware victim through regular file backups and online security awareness.

For more information regarding ransomware threats and how to prevent them, you can refer to our previous post, Ransomware: what organizations need to know & how to avoid it.