CryptXXX Ransomware Spread Through SoakSoak Botnet: Two Big Actors As One

CryptXXX and SoakSoak are huge threats individually.

Reported by ProofPoint in April 2016, CryptXXX has transformed (several times) in its way of action and distribution. At first, it was reported to be distributed through use of the Angler Exploit Kit, having anti-analysis functions to avoid exposure. This Ransomware not only encrypts files on the infected node, it also has a function of information disclosure. In a later version, it was discovered to be capable of finding shared resources on the network and encrypting them. More information can be found in our previous blog on this malware.

SoakSoak is a malware that targets vulnerabilities in a WordPress plug-in, leading to infection of the vulnerable website. As reported in December 2014, this malware has infected over 100,000 WordPress-based sites.

The collaboration of these two threats was initially reported by Invincea, displaying their course of action. The SoakSoak botnet has the capability to scan domains and modify infected sites to redirect to the site hosting Neutrino EK. (which delivers the CryptXXX ransomware)

First and foremost, we recommend avoiding the vulnerable WordPress plug-in, Resilver.

Both ThreatSTOP IP Firewall Service and DNS Firewall Service customers are protected from CryptXXX  if they enable the TS Critical and TSRansomware targets in their policies.

Share this: