Last month, Kaspersky released a tool intended to help users targeted by the CryptXXX ransomware regain access to their systems without paying a bounty to the culprits. Now, researchers at Proof Point have identified a new version of the malware that can sidestep the company’s RannohDecrypter utility.
RannohDecrypter was originally developed to help users targeted by the Rannoh Trojan, but was later expanded to tackle CryptXXX as well. In response to this, the authors of CryptXXX have made some adjustments to the way their weapon targets systems to extort their owners.
Version 2.006 of CryptXXX locks down the targeted system completely, which was initially interpreted by Proof Point as a “quick and dirty” means of preventing the use of RannohDecrypter. However, there’s another more sophisticated strategy at play that removes Kaspersky’s tool from the equation.
CryptXXX now causes an error message to read, “encrypted file size does not equal to original” when the user attempts to employ RannohDecrypter. It’s thought that the malware is using the zlib data compression library as a means of counteracting the utility.
This development illustrates the cat-and-mouse game of modern security research. Research teams and malware developers are continually trying to stay one step ahead of the competition, which often boils down to studying the last move made by their opponent.
The advice on how to stay safe remains the same; keep your security software up to date, and avoid clicking any suspicious links, or opening unsolicited email attachments.
