Cisco's Research & Efficacy Team has developed a proof of concept in C that will decrypt a test file encrypted by CryptXXX v2.006. Decryption is possible due to an insecure seed used by the PRNG referenced from the key generation algorithm. Please view the accompanying blog post for more details here: CryptXXX Technical Deep Dive
CryptXXX Technical Deep Dive
CryptXXX is an emerging Ransomware threat that continues to evolve over time as the malware developers enhance and correct their malicious tools. In this blog post, the Advanced Threat's Research & Efficacy team explain how to analyze multiple versions of CryptXXX and how it performs the encryption of files. The blog post then demonstrates how the developers of the CryptXXX malware introduced cryptographic mistakes in the earlier versions, and how these errors can be exploited so encrypted files can be easily decrypted. At the end, we discuss changes made by the Ransomware authors to fix these issues in more recent versions of the threat, which now makes decryption of affected files very difficult.
About the Advanced Threat Research and Efficacy Team
This elite group of security malware specialists and reverse engineers are tasked with the challenge of ensuring that the Cisco security solutions can detect, and defeat advanced malware and APTs. To achieve this goal, this team studies the techniques and tools used by malware developers. The output of this work is shown in a variety of ways, ranging from enhancing the detection capabilities of the Cisco security portfolio, to advanced malware research reports, to tools that help the incident response and security operations personnel understand the inner workings of today’s, and tomorrow’s, advanced malware threats.