CryptXXX Ransomware Delivered via Cloud File Sharing Applications

By on Aug 23, 2016

Malware and ransomware are increasingly in the news for wreaking havoc on companies of all sizes. According to Kaspersky Labs, the number of ransomware attacks increased 500% in 2016. And while ransomware initially targeted home users, there are now more strains and variants that hit corporate targets. In fact the percentage of people attacked with ransomware that were corporate, versus home, users more than doubled from 2014–2015 to 2015–2016, from 6.8% to 13.13%. This has caused enterprises to adopt solutions to address threats from malware and ransomware, especially in the face of massive cloud adoption by employees.

Enterprises are increasingly turning to Cloud Access Security Brokers (CASBs) to address cloud related threats, including malware. McAfee’s CASB threat protection capability scans customer cloud deployments for malware and ransomware infections. Recently, during a scan of a customer’s sanctioned cloud file sharing deployment, McAfee MVISION Cloud (formerly Skyhigh Networks) found multiple files infected by malware. Further research by malware analysts from McAfee Labs led to the identification of one of the files as a new variant of the CryptXXX ransomware that bypassed both native CSP and endpoint malware scans.

CryptXXX Timeline

The occurrence of the CryptXXX malware was first discovered earlier this year in April by Proofpoint researchers. This malware was being distributed primarily via Office documents that contained malicious macros, which were designed to download and install CryptXXX if the user interacted with them. Once it is downloaded into the endpoint, the ransomware scans the drive for targeted file types (40 file formats), encrypts these files, and appends a .crypt extension to them. The ransomware also steals any bitcoin on the user’s machine. Then, the attackers demand $500 per encrypted machine.

The presence of this malware on a cloud file sharing service amplifies its impact as it encrypts files on the local file sharing folders and these are synced to other users who are collaborators with the user who is infected by the ransomware.

How it Works

When a system is infected with CryptXXX ransomware, it shows the following indicators.

  1. Sets a page of memory to EXECUTE
  2. Sets suspicious registry value (1)
    1. \REGISTRY\USER\S-1-5-21-816955493-887784245-1659347409-1001\Software\Microsoft\Windows\CurrentVersion\Run\”winword016″
  3. Adds a program to autorun (1)
    1. C:\Users\John\AppData\Roaming\winword016.exe
  4. Retrieves the running OS version
  5. Creates a new named-mutex (1)
    1. SRAA1

The ransomware looks for files with selected extensions for encryption. The image below shows the list of file extensions it will encrypt using RSA keys.



Once the files are encrypted, CryptXXX will show the following ransom message:



This ransomware uses vssadmin to delete shadow copies of the file system in order to prevent the recovery of files from previous backups.



In order to maintain persistence across reboots, this malware creates multiple run entries.


Ransomware Detection and Remediation

McAfee recently detected a new variant of CryptXXX, by scanning data within the customers’ cloud file sync and share deployment and applying multi-stage malware detection and analysis. After connecting via API to the cloud service, McAfee performed a malware scan that leveraged multi-stage threat detection powered by machine learning and behavioral analysis, reputation and feed analysis, and static and payload analysis. The solution adapts to evolving malware and new threat techniques, including evasion tactics. In addition, the inspection environment contains an adaptive array of sandboxes that ensures that highly evasive malware (CryptXXX malware is an example as it checks CPU name in the Registry and installs a hook procedure to monitor for mouse events) displays its behavior and true intent for effective detection, which is why it identified malware that signature-based cloud provider and endpoint malware detection missed. Upon detecting malicious files in the customer’s cloud deployment, McAfee immediately quarantined the files to minimize impact.

Cloud Access Security Brokers (CASBs) are increasingly used by enterprises to secure their cloud deployment by providing visibility into cloud usage, enforcing compliance policies, detecting threats, and securing data using encryption and contextual access controls. McAfee’s CASB provides multiple ways for enterprises to protect themselves from zero-day malware and ransomware infections.

  • Scan sanctioned cloud deployments: Many malware files can reside in cloud file sharing services and pose a risk to companies when they are downloaded/synced and activated in corporate systems. CASB solutions can be used to scan file sharing deployments for instances of malware so that timely remediation measures can be implemented.
  • Enforce device-based controls: Many malware files can get uploaded to corporate cloud service deployments from personal devices that do not have endpoint protection. CASBs can be used to enforce device based access controls where employees accessing data from their personal devices are either blocked or limited to read-only access.
  • Block risky cloud services: CASBs provide visibility into enterprise cloud usage along with the risk associated with each cloud services. IT teams can restrict access to risky cloud services that could potentially be housing malware that could be downloaded into corporate systems.

About the Author

McAfee Cloud BU

Learn about cloud threats, the latest cloud security technologies, and the leading approaches for protecting data in cloud services.

Read more posts from McAfee Cloud BU

Categories: Cloud Security

Subscribe to McAfee Securing Tomorrow Blogs