Cryptxxx

Description

CryptXXX is a ransomware strain that first appeared in April 2016, developed by the same group behind the Reveton and Angler Exploit Kit operations. It uses a single-extortion model, encrypting victim files with RSA-4096 and AES-256 encryption, appending the .crypt or .crypt1 extensions in early versions, and later variants dropping different extensions. Distribution was largely via the Angler and Neutrino exploit kits, targeting unpatched browsers, plugins, and malicious email attachments. CryptXXX also included credential theft capabilities, harvesting from browsers and FTP clients, and in some variants, a file-stealing module. Notable campaigns affected victims globally, with a strong concentration in North America and Europe. Operations were disrupted in mid-2016 when security researchers from Kaspersky Lab released decryption tools, forcing the group to release updated, harder-to-crack versions.

External Analysis
https://securelist.com/cryptxxx-unveiled/74731/
https://www.bleepingcomputer.com/news/security/kaspersky-releases-decryptor-for-cryptxxx-ransomware/
https://blog.malwarebytes.com/threat-spotlight/2016/05/cryptxxx-ransomware-now-steals-more/
https://www.symantec.com/connect/blogs/cryptxxx-ransomware-evolves-v30
Urls
Screen
File servers
Screen
Chat servers
Screen
http://apvc24autvavxuc6.onion/
Admin servers
Screen