Cryptomix Ransomware resurfaces with multiple variants

  • 35
    Shares

Cryptomix Ransomware has been active for the last one year and has come up with multiple variants. It spreads via exploit kits, malicious attachments, and malicious links spread across the Internet on hacked domains.

Cryptomix Ransomware does not change the desktop background but encrypts files stored on the infected system while appending a suffix as an extension. The variants of this malware append different extensions to the encrypted files as mentioned in the chart below (fig 1). Earlier this month, a new variant of the ransomware was observed adding the .AZER extension to the encrypted files. This variant works without any network communication and is completely offline. Also, recently we came across a new version called the “Exte” Ransomware. Zayka and Noob are the most recent versions of the CryptoMix family and these version drop the ransom note whose name is similar to that dropped by an older version of Exte but bearing different content. Also, it uses the same email ID for payment information.

When files present on the infected system are encrypted, the ransomware payload drops a ransom note with a different name where previous variants were observed to be using names such as #_RESTORING_FILES_#.TXT, RESTORING FILES #.HTML, RESTORING FILES #.TXT, _HELP_INSTRUCTION.TXT.

To decrypt the files, victims are asked to write to email IDs given in the ransom note and provide their email ID in order to receive instructions on how to pay the ransom.

The chart below lists information related to the malicious process responsible for encryption, extensions added, dropped ransomware note, and associated emails used by the Cryptomix Ransomware variants.

Ransomware
Variant  Name
Responsible process
for Encryption
Extension Appended Ransom Note Name Associated Email
Code %appdata%\AdobeFlash
Player_<Machine_ID>.exe
.id_<Machine_Id>_email
_xoomx@dr.com_.code
HELP_YOUR_FILES.HTML
HELP_YOUR_FILES.TXT
ADMIN@HOIST.DESI
SHIELD0@USA.COM
Wallet Downloaded Dropped Payload .[Attackers email id].
ID[Machines 16 CHAR
_ID].WALLET
“#_RESTORING_FILES_#.TXT xoomx@dr.com
xoomx@usa.com
CryptoShield
1.0
Downloaded Dropped Payload .CRYPTOSHIELD # RESTORING FILES #.HTML
# RESTORING FILES #.TXT
restoring_sup@india
.com;restoring_sup@
computer4u.com;restoring
_reserve@india.com
Revenge Downloaded Dropped Payload  .REVENGE # !!!HELP_FILE!!! #.txt rev00@india.com
revenge00@writeme.com
rev_reserv@india.com
Mole02 %appdata%\1DDA7A65.exe .MOLE02 _HELP_INSTRUCTION.TXT NA
Azer %appdata%\BC1DDA7A65.exe “-email-[webmafia@
asia.com].AZER”
INTERESTING_INFORMACION
_FOR_DECRYPT.TXT
webmafia@asia.com
donald@trampo.info
Exte %appdata%\BC1DDA7A65.exe .EXTE _HELP_INSTRUCTION.TXT exte1@msgden.net
exte2@protonmail.com
exte3@reddithub.com
Zayka & Noob %appdata%\BC1DDA7A65.exe Either .ZAYKA or .NOOB _HELP_INSTRUCTION.TXT admin@zayka.pro

Fig 1

Quick Heal Detection

Quick Heal detects the Cryptomix ransomware sample and its dropped components with proactive as well behavior-based detection as shown below.

Fig 2

Fig 2. Quick Heal Virus Protection

 

Fig 3

Fig 3. Quick Heal Behavior-based Detection

Steps to stay away from ransomware:

  1. Take regular backups of your important data.
  2. Use an antivirus software that can block infected websites and emails. Always keep the software up-to-date.
  3. Apply all recommended security updates and patches for your Operating System, and commonly targeted applications like Adobe, Microsoft Office, Java, and web browsers.
  4. Do not respond to emails coming from unknown, unwanted or unexpected sources that urge you to click on links or download attachments, no matter how urgent such emails might sound.

 

ACKNOWLEDGMENT

– Subject Matter Expert

  • Anita Ladkat | Quick Heal Security Labs

 

Quick Heal Security Labs

Quick Heal Security Labs


No Comments, Be The First!

Your email address will not be published.

CAPTCHA Image