infonews.co.nz
INDEX
TECHNOLOGY

Popular toy maker's site involved in distributing .crypt ransomware

Sunday 22 May 2016, 9:52PM

By Primo V.

637 views

The malefactors behind CryptXXX ransomware strain recently ventured into exploiting the official website of Maisto, a popular manufacturer of die-cast toy vehicles. The crooks had managed to compromise the site’s homepage by exploiting an unpatched edition of the Joomla CMS. The script covertly injected into the site was used to redirect all visitors to a landing page of Angler, one of the most widespread exploit kits at this point.

Angler EK’s objective in this incident was to use software vulnerabilities on unsuspecting users’ computers and thus serve Bedep, which is a nasty piece of malicious code tasked with promoting other infections in a highly surreptitious fashion. The Bedep plague, in its turn, distributes the CryptXXX ransomware along with click-fraud malware. This complex chain of events takes place inconspicuously for the victim. The stealth is powered by sophisticated antivirus evasion techniques in the scoundrels’ arsenal.

CryptXXX looks for widespread file types on the infected machine as well as network shares. Once the malady finds the data that meets its extension-based criteria, it encrypts every object with a mix of RSA and AES cryptosystems. The mutilated filenames get the .crypt string concatenated to the original extension. The ransom notes named de_crypt_readme.html (.txt, .bmp) tell the victim to pay the equivalent of 500 USD in Bitcoins, which is about 1.24 BTC, and then get the private key and the decryptor tool. Unless submitted during 96 hours, the ransom doubles.

Shortly after the Maisto hack was discovered, the site’s administrators temporarily closed it for maintenance and fixed the issue. Meanwhile, thousands of CryptXXX victims keep struggling to get their important data back. Fortunately, a recovery solution was released lately that restores .crypt files encoded by CryptXXX version 1.0 and 2.0. Such breakthroughs, though, have oftentimes led to ransomware updates that prevented the tools from decoding files. Time will tell if the next versions of this Trojan will be any better. Hopefully not.