Cryptomix Ransomware resurfaces with multiple variants

  • 35

Cryptomix Ransomware has been active for the last one year and has come up with multiple variants. It spreads via exploit kits, malicious attachments, and malicious links spread across the Internet on hacked domains.

Cryptomix Ransomware does not change the desktop background but encrypts files stored on the infected system while appending a suffix as an extension. The variants of this malware append different extensions to the encrypted files as mentioned in the chart below (fig 1). Earlier this month, a new variant of the ransomware was observed adding the .AZER extension to the encrypted files. This variant works without any network communication and is completely offline. Also, recently we came across a new version called the “Exte” Ransomware. Zayka and Noob are the most recent versions of the CryptoMix family and these version drop the ransom note whose name is similar to that dropped by an older version of Exte but bearing different content. Also, it uses the same email ID for payment information.

When files present on the infected system are encrypted, the ransomware payload drops a ransom note with a different name where previous variants were observed to be using names such as #_RESTORING_FILES_#.TXT, RESTORING FILES #.HTML, RESTORING FILES #.TXT, _HELP_INSTRUCTION.TXT.

To decrypt the files, victims are asked to write to email IDs given in the ransom note and provide their email ID in order to receive instructions on how to pay the ransom.

The chart below lists information related to the malicious process responsible for encryption, extensions added, dropped ransomware note, and associated emails used by the Cryptomix Ransomware variants.

Variant  Name
Responsible process
for Encryption
Extension Appended Ransom Note Name Associated Email
Code %appdata%\AdobeFlash
Wallet Downloaded Dropped Payload .[Attackers email id].
ID[Machines 16 CHAR
Revenge Downloaded Dropped Payload  .REVENGE # !!!HELP_FILE!!! #.txt
Mole02 %appdata%\1DDA7A65.exe .MOLE02 _HELP_INSTRUCTION.TXT NA
Azer %appdata%\BC1DDA7A65.exe “-email-[webmafia@].AZER”
Zayka & Noob %appdata%\BC1DDA7A65.exe Either .ZAYKA or .NOOB _HELP_INSTRUCTION.TXT

Fig 1

Quick Heal Detection

Quick Heal detects the Cryptomix ransomware sample and its dropped components with proactive as well behavior-based detection as shown below.

Fig 2

Fig 2. Quick Heal Virus Protection


Fig 3

Fig 3. Quick Heal Behavior-based Detection

Steps to stay away from ransomware:

  1. Take regular backups of your important data.
  2. Use an antivirus software that can block infected websites and emails. Always keep the software up-to-date.
  3. Apply all recommended security updates and patches for your Operating System, and commonly targeted applications like Adobe, Microsoft Office, Java, and web browsers.
  4. Do not respond to emails coming from unknown, unwanted or unexpected sources that urge you to click on links or download attachments, no matter how urgent such emails might sound.



– Subject Matter Expert

  • Anita Ladkat | Quick Heal Security Labs


Quick Heal Security Labs

Quick Heal Security Labs

No Comments, Be The First!

Your email address will not be published.