Toy maker Maisto’s website pushed growing CryptXXX ransomware threat

For now, there's a decryption tool that can help CryptXXX victims

Attackers are aggressively pushing a new file-encrypting ransomware program called CryptXXX by compromising websites, the latest victim being U.S. toy maker Maisto. Fortunately, there's a tool that can help users decrypt CryptXXX affected files for free.

Security researchers from Malwarebytes reported Thursday that maisto.com was infected with malicious JavaScript that loaded the Angler exploit kit. This is a Web-based attack tool that installs malware on users' computers by exploiting vulnerabilities in their browser plug-ins.

If the attack successfully exploits a browser vulnerability, it then installs a malware dropper called Bedep, which in turn installs the CryptXXX ransomware.

CryptXXX was first discovered last week by researchers from Proofpoint. In addition to encrypting user files on local drives and network shares, the malware also acts like an information-stealing Trojan. It steals saved log-in credentials from browsers, instant messaging applications, FTP clients and email clients.

It also steals bitcoins from local wallets, a double hit to victims, because it then asks for the equivalent of $500 in bitcoins in order to decrypt their files.

Maisto.com is not the only recently compromised website that has been used to distribute CryptXXX. Researchers from Palo Alto Networks have observed a large attack campaign using the Angler-Bedep-CryptXXX combo since mid April.

The attackers behind that campaign had previously used the Nuclear exploit kit to deliver Locky, a different ransomware program.

"CryptXXX is now the default ransomware deployed in at least two major exploit kit campaigns and should be considered a growing cybersecurity threat," the Palo Alto researchers said in a blog post.

The good news is that the current version of CryptXXX seems to have a weakness in its encryption implementation. Researchers from antivirus firm Kaspersky Lab recently updated their ransomware decryption tool to add support for CryptXXX affected files.

While that tool works for now, it's likely that the malware's creators will eventually figure out their error and fix it. Therefore, users should focus on prevention rather than remediation.

They should keep all of their software programs, and especially browser plug-ins like Java, Flash Player and Silverlight, up to date. They should also regularly back up their files to an external location that's not always accessible from the computer. Locally mapped network shares are not a good idea, because ransomware programs target those too.

Join the CSO newsletter!

Error: Please check your email address.

More about KasperskyMalwarebytesPalo Alto NetworksProofpoint

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place