A new version of the CryptXXX Ransomware was discovered by Brad Duncan that includes changes to encrypted file names, uses modified ransom note names, a new template, and a new TOR payment site description. With this release, the ransom notes are now named README.html, README.bmp, and README.txt.
To make it more difficult for administrators, this release no longer uses special extensions for encrypted files. Now an encrypted file will retain the same filename that it had before it was encrypted.
There have also been some changes to the TOR payment site used by CryptXXX. In the past, CryptXXX had named it’s payment site using different names such as Google Decryptor and Ultra Decryptor. Now, the devs have changed the TOR site so that it is named Microsoft Decryptor. This version also does not include a method of contacting the ransomware devs if a victim has payment problems.
If anything new is discovered, I will be sure to post it here. For now, if anyone wishes to discuss this ransomware or receive support, you can use the CryptXXX Support & Help Topic.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.