The new version of the CryptXXX ransomware is spreading primarily through spam, said Caleb Fenton, senior security researcher at SentinelOne, in a technical description of the find posted Monday.
CryptXXX has been a fast and moving target for researchers, considered by some to be “hot new kid on the block” when it comes to ransomware – even nipping at the heels of the notorious Locky ransomware when it comes to infection rates and distribution. In May cybercriminals released an updated CryptXXX 3.100 version of the ransomware that includes a new StillerX credential-stealing module that gives attackers additional capabilities to monetize an attack.
Now, SentinelOne reports, cybercriminals have updated CryptXXX again, tweaking the encryption engine further to prevent free un-specified decryption tools from working. According to a Kaspersky Lab support page, the RannohDecryptor utility worked on numerous updated versions of the CryptXXX ransomware. However in late May, with the 3.100 release of CryptXXX, the RannohDecryptor was no longer able to decrypt files from the 3.100 version of the ransomware, but is still effective for early versions of the ransomware.
The Seychelles-based VPN provider Proxy.sh has withdrawn an exit node from its warrant canary—a statement certifying that "to the date of publication, no warrants, searches, or seizures that have not been reported in our Transparency Report, have actually taken place."
The blog post in question simply states: "We would like to inform our users that we do not wish any longer to mention France 8 (22.214.171.124) in our warrant canary until further notice." The statement implies that the France 8 node has been subject to a warrant, but that a gag order forbids Proxy.sh from revealing that fact directly. It is not clear who served the warrant, and for obvious reasons, Proxy.sh is unable to say.
However, the TorrentFreak site obtained the following comment from Proxy.sh: "We recommend our users to no longer connect to it. We are striving to do whatever it takes to include that node into our warrant canary again."
Proxy.sh went on to say: "The warrant canary has been particularly designed to make sure we could still move without being legally able to answer questions in a more detailed manner. We are happy to see it put to use after all and that our users are made aware of it."
Ransomware behavior has been the talk of the town. We have seen oddly long ransom payment deadlines from GOOPIC, password stealing capabilities from RAA, chat support from the latest JIGSAW variant, and all these are just incidents discovered this June. But among these new behaviors, we came across a unique behavior in MIRCOP crypto-ransomware.
Detected as RANSOM_MIRCOP.A, MIRCOP places the blame on users and does not give victims instructions on how to pay the ransom. In fact, it assumes that victims already know how to pay them back.
The emphasis on paying them back paints the situation that the victims already know who to send the ransom demand to. The whole note, which displays a hooded figure in a Guy Fawkes mask, suggests that victims may have “stolen” from a notorious hacktivist group and threatens further actions if the victims are unable to pay.
MIRCOP demands users to pay the ransom amount of 48.48 bitcoins (US$ 28,730.70 as of June 23, 2016), which is among the highest demands we have seen. And at the end of the note, the author leaves a bitcoin address. Unlike other ransomware notes where victims are instructed step-by-step on how to make the payment, MIRCOP suggests that the victim is familiar with making bitcoin transactions. We checked the address and as of this writing, no payments have yet been made.
* Possibility to brute force promo codes in riders.uber.com
* Possibility to get private email using UUID
* Enumerating UserIDs with phone numbers
* Use Partner/Driver App Without Being Activated
* Possible to View Driver Waybill via Driver UUID
* Information regarding trips from other users