Cryptomix Ransomware resurfaces with multiple variants
Cryptomix Ransomware has been active for the last one year and has come up with multiple variants. It spreads via exploit kits, malicious attachments, and malicious links spread across the Internet on hacked domains.
Cryptomix Ransomware does not change the desktop background but encrypts files stored on the infected system while appending a suffix as an extension. The variants of this malware append different extensions to the encrypted files as mentioned in the chart below (fig 1). Earlier this month, a new variant of the ransomware was observed adding the .AZER extension to the encrypted files. This variant works without any network communication and is completely offline. Also, recently we came across a new version called the “Exte” Ransomware. Zayka and Noob are the most recent versions of the CryptoMix family and these version drop the ransom note whose name is similar to that dropped by an older version of Exte but bearing different content. Also, it uses the same email ID for payment information.
When files present on the infected system are encrypted, the ransomware payload drops a ransom note with a different name where previous variants were observed to be using names such as #_RESTORING_FILES_#.TXT, RESTORING FILES #.HTML, RESTORING FILES #.TXT, _HELP_INSTRUCTION.TXT.
To decrypt the files, victims are asked to write to email IDs given in the ransom note and provide their email ID in order to receive instructions on how to pay the ransom.
The chart below lists information related to the malicious process responsible for encryption, extensions added, dropped ransomware note, and associated emails used by the Cryptomix Ransomware variants.
| Ransomware Variant Name |
Responsible process for Encryption |
Extension Appended | Ransom Note Name | Associated Email |
| Code | %appdata%\AdobeFlash Player_<Machine_ID>.exe |
.id_<Machine_Id>_email _xoomx@dr.com_.code |
HELP_YOUR_FILES.HTML HELP_YOUR_FILES.TXT |
ADMIN@HOIST.DESI SHIELD0@USA.COM |
| Wallet | Downloaded Dropped Payload | .[Attackers email id]. ID[Machines 16 CHAR _ID].WALLET |
“#_RESTORING_FILES_#.TXT | xoomx@dr.com xoomx@usa.com |
| CryptoShield 1.0 |
Downloaded Dropped Payload | .CRYPTOSHIELD | # RESTORING FILES #.HTML # RESTORING FILES #.TXT |
restoring_sup@india .com;restoring_sup@ computer4u.com;restoring _reserve@india.com |
| Revenge | Downloaded Dropped Payload | .REVENGE | # !!!HELP_FILE!!! #.txt | rev00@india.com revenge00@writeme.com rev_reserv@india.com |
| Mole02 | %appdata%\1DDA7A65.exe | .MOLE02 | _HELP_INSTRUCTION.TXT | NA |
| Azer | %appdata%\BC1DDA7A65.exe | “-email-[webmafia@ asia.com].AZER” |
INTERESTING_INFORMACION _FOR_DECRYPT.TXT |
webmafia@asia.com donald@trampo.info |
| Exte | %appdata%\BC1DDA7A65.exe | .EXTE | _HELP_INSTRUCTION.TXT | exte1@msgden.net exte2@protonmail.com exte3@reddithub.com |
| Zayka & Noob | %appdata%\BC1DDA7A65.exe | Either .ZAYKA or .NOOB | _HELP_INSTRUCTION.TXT | admin@zayka.pro |
Fig 1
Quick Heal Detection
Quick Heal detects the Cryptomix ransomware sample and its dropped components with proactive as well behavior-based detection as shown below.
Fig 2. Quick Heal Virus Protection
Fig 3. Quick Heal Behavior-based Detection
Steps to stay away from ransomware:
- Take regular backups of your important data.
- Use an antivirus software that can block infected websites and emails. Always keep the software up-to-date.
- Apply all recommended security updates and patches for your Operating System, and commonly targeted applications like Adobe, Microsoft Office, Java, and web browsers.
- Do not respond to emails coming from unknown, unwanted or unexpected sources that urge you to click on links or download attachments, no matter how urgent such emails might sound.
ACKNOWLEDGMENT
– Subject Matter Expert
- Anita Ladkat | Quick Heal Security Labs
No Comments, Be The First!