For the past month, people infected with the CryptXXX ransomware had a way to recover their files without paying the hefty $500 fee to obtain the decryption key. On Tuesday, that reprieve came to an end.
Researchers from security firm Proofpoint said in a blog post that version 2.006 has found a way to bypass a decryption tool that has been freely available for weeks. The tool was provided by Kaspersky Lab and was the result of flaws in the way CryptXXX worked.
The crypto ransomware update effectively renders the Kaspersky tool useless, Proofpoint said. It did this with the use of zlib, a software library used for data compression. The new version also makes it harder to use the Kaspersky tool by locking the screen of an infected computer and making it unusable until the ransom is paid.
“With the introduction of version 2.006, CryptXXX authors have, for now, rendered the existing free decryption tool ineffective,” Proofpoint researchers wrote. “While new decryption tools may emerge, CryptXXX’s active development and rapid evolution suggest that this new ransomware will continue to compete strongly in malware ecosystems.”
CryptXXX is largely being delivered through Angler, a notorious exploit kit that’s used to deliver attacks over infected websites or though malicious ads. As always, people should protect themselves against the threat by installing security updates as soon as they’re available and being highly suspicious of e-mail attachments, particularly if they involve Microsoft Office macros.