The developers of CryptXXX ransomware have made some updates to the malicious software recently. A new campaign has also been launched which is seeing an increasing number of Joomla and WordPress websites compromised with malicious code that directs visitors to sites containing the Neutrino exploit kit.

The latest CryptXXX crypto-ransomware variant no longer changes the extension of files that have been encrypted, instead they are left unchanged.  This makes it more difficult for system administrators to resolve an infection by restoring files from backups, as it is much harder to determine exactly which files have been encrypted.

The ransomware developers have also changed the ransom note that is presented to victims and the Tor address for payment has also been changed. The payment site has been changed frequently, having used names such as Google Decryptor and Ultra Decryptor in the past. The authors have now changed the site to Microsoft Decryptor. This is the second time the payment site has been renamed since June 1. Unfortunately for victims that experience difficulties making the payment, there is no method of contacting the attackers to explain about payment issues.

CryptXXX crypto-ransomware has previously been spread using the Angler exploit kit, although the ransomware is now being distributed using Neutrino. Neutrino is primarily used to exploit vulnerabilities in PDF reader and Adobe Flash to download CryptXXX.

CryptXXX Crypto-Ransomware and CryptoBit Distributed in RealStatistics Campaign

WordPress and Joomla sites are being infected at a high rate, with 2,000 sites currently infected as part of the latest campaign according to Sucuri. The company’s researchers have suggested that the actual figure may be closer to 10,000 websites due to the limited range of sites that they have been observing.

It is unclear how the websites are being infected, although it has been suggested that outdated Joomla and WordPress installations are the most likely way that the attackers are gaining access to the sites, although outdated plugins on the websites could also be used to inject malicious Analytics code. The campaign is being referred to as “Realstatistics” due to the URL that is placed into the PHP template of infected sites.

The latest campaign has also been used to push other ransomware variants on unsuspecting website visitors. Palo Alto Networks researchers discovered eight separate Cryptobit variants that were being pushed as part of the latest Realstatistics campaign. The attackers now appear to be using Cryptobit less and have switched to CryptXXX crypto-ransomware in recent days.