CryptXXX is now one of the most prevalent variants of ransomware. While the ransomware variant has previously been delivered using exploit kits such as Neutrino and Angler, Proofpoint has discovered thousands of CryptXXX spam emails in the past few days. The ransomware gang behind CryptXXX is diversifying and using different delivery mechanisms to install the malicious software on victims’ computers.
Proofpoint reports a 96% decline in exploit traffic between April and June, which has been attributed to the disappearance of the Angler exploit kit. Angler activity was noted to be in steep decline since April, falling to virtually zero by May 22. By June 7, Angler had disappeared. CryptXXX was moved to the Neutrino EK, although Neutrino EK activity has also fallen dramatically.
The fall in EK activity has seen ransomware gangs turn to spam email to deliver the ransomware. Proofpoint noticed thousands of CryptXXX spam emails had been sent on July 14. The ransomware was not attached to the messages, but was downloaded to victims’ computers if the email recipients opened a malicious attachment.
As we have seen with other forms of malware and ransomware this year – Locky and Cerber ransomware for instance – attackers are favouring malicious Word macros to deliver their malicious payload. If macros are set to run automatically, simply opening the malicious Word document contained in the CryptXXX spam emails will see the user’s device infected.
If macros have been disabled, the user will be required to enable the macros before the ransomware is downloaded. When the document is opened, the user is told that the document has been created in a newer version of Microsoft Office and the contents of the document will only be displayed if macros are enabled. Enablinbg macros will all but guarantee infection.
Identifying CryptXXX Spam Emails
Proofpoint says the CryptXXX spam emails contain the subject line “Security Breach – Security Report” followed by a random number. The attached Word documents in the spam emails identified by Proofpoint were called “info12.doc” or “i_nf012.doc.” Proofpoint noted that several thousand emails were sent which suggests this was a test run only. Ransomware campaigns using spam email are often sent in the millions.
Since the subject names, sender information, attachment names, and message content can vary, identifying CryptXXX spam emails can be difficult. As a precaution against infection, sys admins should ensure that all employees are made aware of the risk of malicious macros, and if possible, macros should be disabled on all computers unless their use is strictly necessary.
A robust spam filtering solution can be used to trap the majority of spam emails to reduce reliance on end users having to identify malicious spam email messages.