The most recent version of the CryptXXX ransomware came with lots of changes, among which the most important is an infostealer module that can dump and steal passwords from various applications on the infected machine.
Called StillerX, this module was seen part of CryptXXX starting with version 3.100, detected by Proofpoint for the first time on May 26. The US security firm says that this CryptXXX version comes with lots of new features, but StillerX makes it more dangerous than before.
StillerX works just like classic password dumpers, also known as infostealers. These types of malware are specifically designed to attack the internal databases of several software packages, extract encrypted or cleartext passwords, and then send them to an online server. CryptXXX's StillerX module is capable of targeting all sorts of software, such as browsers, download managers, email clients, FTP software, IM applications, poker apps, proxy clients, VPNs, dialer credentials, and passwords stored in WNetEnum's cache and Microsoft's Credential Manager.
Users can detect a CryptXXX ransomware infection that comes with StillerX by the presence of the "stiller.dll," "stillerx.dll" and "stillerzzz.dll" files on their systems. Proofpoint says that there are clues in StillerX's code making them believe the module could be used as a standalone, without CryptXXX.
Other new changes in CryptXXX 3.100
Besides the ability to steal your passwords for future cyber-attacks, CryptXXX also changed its decryption website. The portal received a facelift and now features new graphics. Until now, the ransomware has used the same user interface as the CryptoWall ransomware.
Last but not least, CryptXXX is now also capable of searching for network-connected drives and infecting the files it finds on those partitions as well. The ability to search and infect network drives has been seen in several ransomware families in recent weeks and seems to be a natural course of evolution for most of these threats in an attempt to maximize their impact and force victims to pay the ransom.