A new variant of the CryptXXX ransomware not only encrypts files but also tries to steal passwords. The security researchers from Proofpoint analyzed the new ransomware variant and also found it to be searching for shared drives and folders to encrypt.
Besides encrypting files and folders it also downloads a .DLL file that is actually a plugin that extends the ransomware with functionality to steal passwords from e.g. FTP software, email clients, dialers, download managers, instant messaging software, VPNs and proxies, remote management software and poker applications. Besides passwords it also tries to steal browser data such as browsing history, cookies and stored credentials.
The new CryptXXX ransomware can be identified from older versions because it adds the .cryp1 extension to files. Older version added the .crypt extension to encrypted files.
Another difference is that files encrypted by the latest version of CryptXXX can no longer be decrypted by free tools. For earlier versions the free tool RannohDecryptor from Kaspersky Lab can be used, this will no longer work with the latest CryptXXX ransomware.
