{"id":84610,"date":"2017-08-01T16:42:23","date_gmt":"2017-08-01T11:12:23","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=84610"},"modified":"2017-08-01T16:42:23","modified_gmt":"2017-08-01T11:12:23","slug":"cryptomix-ransomware-resurfaces-multiple-variants","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/cryptomix-ransomware-resurfaces-multiple-variants\/","title":{"rendered":"Cryptomix Ransomware resurfaces with multiple variants"},"content":{"rendered":"

Cryptomix Ransomware has been active for the last one year and has come up with multiple variants. It spreads via exploit kits, malicious attachments, and malicious links spread across the Internet on hacked domains.<\/p>\n

Cryptomix Ransomware does not change the desktop background but encrypts files stored on the infected system while appending a suffix as an extension. The variants of this malware append different extensions to the encrypted files as mentioned in the chart below (fig 1). Earlier this month, a new variant of the ransomware was observed adding the .AZER extension to the encrypted files. This variant works without any network communication and is completely offline. Also, recently we came across a new version called the “Exte” Ransomware. Zayka and Noob are the most recent versions of the CryptoMix family and these version drop the ransom note whose name is similar to that dropped by an older version of Exte but bearing different content. Also, it uses the same email ID for payment information.<\/p>\n

When files present on the infected system are encrypted, the ransomware payload drops a ransom note with a different name where previous variants were observed to be using names such as #_RESTORING_FILES_#.TXT, RESTORING FILES #.HTML, RESTORING FILES #.TXT, _HELP_INSTRUCTION.TXT.<\/p>\n

To decrypt the files, victims are asked to write to email IDs given in the ransom note and provide their email ID in order to receive instructions on how to pay the ransom.<\/p>\n

The chart below lists information related to the malicious process responsible for encryption, extensions added, dropped ransomware note, and associated emails used by the Cryptomix Ransomware variants.<\/p>\n\n\n\n\n\n\n\n\n\n\n\n
Ransomware
\nVariant\u00a0 Name<\/strong><\/td>\n		Responsible process
\nfor Encryption<\/strong><\/td>\n		Extension Appended <\/strong><\/td>\nRansom Note Name<\/strong><\/td>\nAssociated Email<\/strong><\/td>\n<\/tr>\n
Code<\/td>\n%appdata%\\AdobeFlash
\nPlayer_<Machine_ID>.exe<\/td>\n		.id_<Machine_Id>_email
\n_xoomx@dr.com_.code<\/td>\n		HELP_YOUR_FILES.HTML
\nHELP_YOUR_FILES.TXT<\/td>\n		ADMIN@HOIST.DESI
\nSHIELD0@USA.COM<\/td>\n<\/tr>\n
Wallet<\/td>\nDownloaded Dropped Payload<\/td>\n.[Attackers email id].
\nID[Machines 16 CHAR
\n_ID].WALLET<\/td>\n		\u201c#_RESTORING_FILES_#.TXT<\/td>\nxoomx@dr.com
\nxoomx@usa.com<\/td>\n<\/tr>\n
CryptoShield
\n1.0<\/td>\n		Downloaded Dropped Payload<\/td>\n.CRYPTOSHIELD<\/td>\n# RESTORING FILES #.HTML
\n# RESTORING FILES #.TXT<\/td>\n		restoring_sup@india
\n.com;restoring_sup@
\ncomputer4u.com;restoring
\n_reserve@india.com<\/td>\n<\/tr>\n
Revenge<\/td>\nDownloaded Dropped Payload<\/td>\n\u00a0.REVENGE<\/td>\n# !!!HELP_FILE!!! #.txt<\/td>\nrev00@india.com
\nrevenge00@writeme.com
\nrev_reserv@india.com<\/td>\n<\/tr>\n
Mole02<\/td>\n%appdata%\\1DDA7A65.exe<\/td>\n.MOLE02<\/td>\n_HELP_INSTRUCTION.TXT<\/td>\nNA<\/td>\n<\/tr>\n
Azer<\/td>\n%appdata%\\BC1DDA7A65.exe<\/td>\n“-email-[webmafia@
\nasia.com].AZER”<\/td>\n		INTERESTING_INFORMACION
\n_FOR_DECRYPT.TXT<\/td>\n		webmafia@asia.com
\ndonald@trampo.info<\/td>\n<\/tr>\n
Exte<\/td>\n%appdata%\\BC1DDA7A65.exe<\/td>\n.EXTE<\/td>\n_HELP_INSTRUCTION.TXT<\/td>\nexte1@msgden.net
\nexte2@protonmail.com
\nexte3@reddithub.com<\/td>\n<\/tr>\n
Zayka & Noob<\/td>\n%appdata%\\BC1DDA7A65.exe<\/td>\nEither .ZAYKA or .NOOB<\/td>\n_HELP_INSTRUCTION.TXT<\/td>\nadmin@zayka.pro<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Fig 1<\/p>\n

Quick Heal Detection<\/strong><\/p>\n

Quick Heal detects the Cryptomix ransomware sample and its dropped components with proactive as well behavior-based detection as shown below.<\/p>\n

\"Fig
Fig 2. Quick Heal Virus Protection<\/figcaption><\/figure>\n

 <\/p>\n

\"Fig
Fig 3. Quick Heal Behavior-based Detection<\/figcaption><\/figure>\n

Steps to stay away from ransomware:<\/strong><\/p>\n

    \n
  1. Take regular backups of your important data.<\/li>\n
  2. Use an antivirus software<\/a> that can block infected websites and emails. Always keep the software up-to-date.<\/li>\n
  3. Apply all recommended security updates and patches for your Operating System, and commonly targeted applications like Adobe, Microsoft Office, Java, and web browsers.<\/li>\n
  4. Do not respond to emails coming from unknown, unwanted or unexpected sources that urge you to click on links or download attachments, no matter how urgent such emails might sound.<\/li>\n<\/ol>\n

     <\/p>\n

    ACKNOWLEDGMENT<\/strong><\/p>\n

    – Subject Matter Expert<\/p>\n

      \n
    • Anita Ladkat | Quick Heal Security Labs<\/li>\n<\/ul>\n

       <\/p>\n","protected":false},"excerpt":{"rendered":"

      Cryptomix Ransomware has been active for the last one year and has come up with multiple variants. It spreads via exploit kits, malicious attachments, and malicious links spread across the Internet on hacked domains. Cryptomix Ransomware does not change the desktop background but encrypts files stored on the infected system while appending a suffix as […]<\/p>\n","protected":false},"author":29,"featured_media":84613,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[910,5],"tags":[1480],"class_list":["post-84610","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ransomware","category-security","tag-cryptomix-ransomware"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/84610"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/29"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=84610"}],"version-history":[{"count":1,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/84610\/revisions"}],"predecessor-version":[{"id":84614,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/84610\/revisions\/84614"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/84613"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=84610"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=84610"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=84610"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}