Like us, cybercriminals enjoy the festive season and that can sometimes reflect in their malicious activities. In 2011 we saw a Zeus banking trojan Panel - a user interface for herding Zeus-infected machines - with a Christmas-themed background. This time Forcepoint Security Labs™ has noticed that the CryptXXX gang have started to offer Christmas discounts to victims who intend to pay ransom.
Also known as UltraCrypter, CryptXXX is one of the active ransomware families currently in the wild. Last June we reported CryptXXX as a malware payload originating from a compromised anime site that silently redirected to the Neutrino Exploit Kit. Upon infecting a system CryptXXX displays multiple ransom notes, such as the following:
As we reported previously CryptXXX asks for a ransom payment of 1.2 Bitcoin (BTC) from the victims. New victims, however, are currently offered a Christmas discount through a pop-up window upon visiting one of the Tor-based payment sites. The pop-up advertises a reduced 0.5 BTC ransom price, which is roughly 395 USD at the current exchange rate.
Upon closing the pop-up the standard payment page is then displayed where the victim can pay the discounted amount.
Forcepoint customers are protected against this threat via TRITON® ACE at the following stages of attack:
Stage 4 (Exploit Kit) - Exploit Kit landing pages that may install CryptXXX are detected and blocked.
Stage 5 (Dropper File) - CryptXXX binaries are prevented from being downloaded to the target machine.
While paying a discounted ransom amount may be tempting, it is important to keep in mind that paying ransom has the adverse effect of motivating cyber criminals to continue such malicious activities. Alternatively we can reduce the chances of being a ransomware victim through regular file backups and online security awareness.
For more information regarding ransomware threats and how to prevent them, you can refer to our previous post, Ransomware: what organizations need to know & how to avoid it.