Users infected with CryptXXX malware offered their data back for half price in Christmas deal

The hacker group behind the “CryptXXX” trojan, which silently installs itself onto the machines of users who access compromised websites, has reduced the asking price by over 50 per cent until December 31^st.

The malware first spread via a compromised anime site earlier this year and has gone through many iterations since then in an attempt to elude efforts of cyber-security company Kaspersky that has worked on breaking the encryption techniques used by the trojan.

Previously, CryptXXX asked for a ransom payment of 1.2 Bitcoin (BTC) from victims, but upon visiting one of the payment sites through the secure Tor browser, a pop-up appeared (below) offering to decrypt data for just 0.5 BTC or roughly £328 at current exchange rates.

“This highlights that, by providing a seasonal discount on their ransom, these malicious actors have a warped but sound business sense,” said Carl Leonard, principal security analyst at cyber security firm Forcepoint.

“Victims may genuinely believe they are receiving a ‘good’ deal to unencrypt their data, but by paying the ransom they are motivating cyber criminals to continue such malicious activities.”

Yet the reduction in price may have had less altruistic motives than it first appears.

As Kaspersky detailed on their blog yesterday, the latest version of the Trojan, CryptXXX version 3, has been cracked by the company who have released a free tool to decrypt the data and rid user machines of the malware.

It is probably fair to assume that the group behind it has lowered the price in the hope that infected users will pay up before they realise that the Kaspersky tool can retrieve their data for free.

CryptXXX has gone through a number of changes since its introduction in April this year and was first thwarted only a few days flaw after release when a flaw in the encryption algorithm was discovered.

A free utility called Rannoh decryptor was quickly released by Kaspersky to decrypt the files.

A second version of the malware was quickly released but was again thwarted in just a matter of days.

However, CryptXXX version 3, which first started appearing in May, proved more difficult to overcome and it remained unbreakable until Kaspersky released a new version of their utility yesterday.

The tool can be downloaded from their website here. 

The Russian cyber-security firm said that almost a quarter of all attacks were targeting users from USA, with Russia, Germany, Japan, India and Canada combining for another 28 per cent of infection attempts.

“Our regular advice to the victims of different ransomware families is the following: even if there is currently no decryption tool available for the version of malware that encrypted your files, please don’t pay the ransom to criminals,” said Anton Ivanov, security expert at Kaspersky Lab.

“Save the corrupt files and be patient — the probability of a decryption tool emerging in the near future is high. We consider the case of CryptXXX v.3 as proof of this advice.

“Multiple security specialists around the world are continuously working hard to be able to help victims of ransomware. Sooner or later the solution to the vast majority of ransomware will be found.”

Earlier this month it was revealed that a massive network of hacked computers connected to a botnet known as Avalanche had been taken down after police raids in ten countries.