Irvine, CA – Most of my recent blogs are about ransomware. That is because ransomware is the most prevalent cyber threat today facing individuals, small and large businesses, governments and not-for-profits. No one is safe from this scourge.

Today I must tell you about a new one. Like Jigsaw, this new one called CryptXXX, is a game changer. Jigsaw was different from prior strains in that it immediately starts to delete your files just to show you that it means business. CryptXXX is different in that it introduces two new problems other than encrypting all your files and then demanding payment. Up until now ransomware has not actually breached your system and exfiltrated data. Sure you had a security incident, but it was not identified as a breach in the classic sense. Now with CryptXXX not only is your data held hostage, but now the culprits steal two new things from you. CryptXXX steals login names and passwords which puts all your systems, local and in the cloud, and any websites you frequent at risk. CryptXXX also steals your Bitcoins if you have any. The stealing of the Bitcoins is a particular insult because the perpetrators then ask you to pay their ransom in Bitcoin in order to decrypt all your files… but they now have your Bitcoins so you will need to buy some more. Ugh!

Remember, if you are hit by CryptXXX it is different than other ransomware. You have been breached and you did lose data, passwords, etc. Take appropriate action to change all your passwords, everywhere!

CryptXXX also has an encryption delay. Some think this is to make it harder for you to know where, when and how you got infected. This may be true, but it also provides the added benefit of perhaps timing the start of the encryption to happen “after-hours” when you have left your workplace or gone to sleep. Now the encryption process can run unfettered and undetected until it has completed its nefarious deed. When you go back to your computer in the morning it is all encrypted.

However not all is completely lost with CryptXXX. If you get this ransomware you can bet your Bitcoins are gone and passwords are compromised, but at least at this time it can be decrypted without paying the ransomware. That is very unusual for the more recent forms of ransomware so you might be in luck.

First a short bit of history, CryptXXX was discovered by the folks at Proofpoint. They are the people supplying the underpinnings of our Mailworx e-mail spam filtering and e-mail virus detection service. Then the anti-virus team at Kaspersky Labs went to work to see if they could decrypt it and they did in early May. But by May 6th the bad guys behind CryptXXX did the predictable and they changed their code and now the original decryptor no longer works. But again the guys at Kaspersky were on their game and they came up with a new decryptor. As you can tell this is a constant cat-and-mouse game. You can’t count on a decryption tool being available. In fact, most of the recent ransomwares have not been decryptable without paying the ransom.

Remember, if you are hit by CryptXXX it is different than other ransomware. You have been breached and you did lose data, passwords, etc. Take appropriate action to change all your passwords, everywhere!

So how do you protect yourself? Start by making sure you have rock solid back-ups that are not part of shared drives on your system. Make sure you educate your end-users so they are aware of the threats.

If you want to go to the Kaspersky Labs site to get the decryption tool you can Get the Decryptor HERE.

If you have gotten ransomware and recovered from backup or paid the ransom to get in the clear, you are not in the clear. Whatever weakness you had to get it the first time still exists. You need to assess and remediate your vulnerabilities to ransomware. Go to this article on ransomware. It has many good links to other resources to help protect your system. Pay particular attention to the P-D-R strategy as it presents one of the most comprehensive approaches to protection from ransomware.

We do assessments of your risk to ransomware and other security breaches. If you need us to take a look and make recommendations reach out to us at the contact info below.

Call or write me if you have questions, Oli Thordarson – 949 428-5000, x213 or toli@alvaka.net.

If you want to go to the Kaspersky Labs site to get the decryption tool you can Get the Decryptor HERE.