Net scum behind the ransomware upstart CryptXXX have parried white hat attacks and released a new and as-yet-uncracked malware variant that can encrypt network shares, and steal account logins.

The changes CryptXXX, already the most widely-used ransomware, the most dangerous such tool.

The modular malware menace uses StillerX to plunder account credentials from a host of software including Cisco VPNs, Microsoft Credential Manager, and online poker platforms.

Browser data including history, cookies, and stored credentials are hoovered up along with email, instant messaging, and remote administration software logins.

This update will only solidify CryptXXX's dominant position in the ransomware market.

"CryptXXX has become quite widespread, especially with a number of TeslaCrypt actors shifting operations to CryptXXX recently," Proofpoint malware wonks say, adding that "… this new version of CryptXXX was capable of finding shared resources on the network, enumerating files in every shared directory, and encrypting them one by one.

"The actors behind CryptXXX have continued to rapidly refine the ransomware with updates to encryption, scanning for network shares, cosmetic updates, and updates to lock screen behaviour."

Kaspersky busted the last CryptXXX variant releasing a decryption tool to help victims rescue their files for free.

That effort was thanks to then similarities between the malware and a cracked Rannoh ransomware.

Decryption efforts are a double-edge sword in that it liberates victims but also allows determined VXers to release an updated variant that can no longer be broken.

The credential-stealing module is new turf for ransomware scum, and breaks the professional business model where those who pay are handed their keys and no longer compromised.

To that end while conjecture it may backfire and be sufficient to persuade some victims to not pay the net crims. ®