Cryptomix Ransomware resurfaces with multiple variants
Credit to Author: Quick Heal Security Labs| Date: Tue, 01 Aug 2017 11:12:23 +0000
Cryptomix Ransomware has been active for the last one year and has come up with multiple variants. It spreads via exploit kits, malicious attachments, and malicious links spread across the Internet on hacked domains. Cryptomix Ransomware does not change the desktop background but encrypts files stored on the infected system while appending a suffix as an extension. The variants of this malware append different extensions to the encrypted files as mentioned in the chart below (fig 1). Earlier this month, a new variant of the ransomware was observed adding the .AZER extension to the encrypted files. This variant works without any network communication and is completely offline. Also, recently we came across a new version called the “Exte” Ransomware. Zayka and Noob are the most recent versions of the CryptoMix family and these version drop the ransom note whose name is similar to that dropped by an older version of Exte but bearing different content. Also, it uses the same email ID for payment information. When files present on the infected system are encrypted, the ransomware payload drops a ransom note with a different name where previous variants were observed to be using names such as #_RESTORING_FILES_#.TXT, RESTORING FILES #.HTML, RESTORING FILES #.TXT, _HELP_INSTRUCTION.TXT. To decrypt the files, victims are asked to write to email IDs given in the ransom note and provide their email ID in order to receive instructions on how to pay the ransom. The chart below lists information related to the malicious process responsible for encryption, extensions added, dropped ransomware note, and associated emails used by the Cryptomix Ransomware variants. Ransomware Variant Name Responsible process for Encryption Extension Appended Ransom Note Name Associated Email Code %appdata%AdobeFlash Player_<Machine_ID>.exe .id_<Machine_Id>_email _xoomx@dr.com_.code HELP_YOUR_FILES.HTML HELP_YOUR_FILES.TXT ADMIN@HOIST.DESI SHIELD0@USA.COM Wallet Downloaded Dropped Payload .[Attackers email id]. ID[Machines 16 CHAR _ID].WALLET “#_RESTORING_FILES_#.TXT xoomx@dr.com xoomx@usa.com CryptoShield 1.0 Downloaded Dropped Payload .CRYPTOSHIELD # RESTORING FILES #.HTML # RESTORING FILES #.TXT restoring_sup@india .com;restoring_sup@ computer4u.com;restoring _reserve@india.com Revenge Downloaded Dropped Payload .REVENGE # !!!HELP_FILE!!! #.txt rev00@india.com revenge00@writeme.com rev_reserv@india.com Mole02 %appdata%1DDA7A65.exe .MOLE02 _HELP_INSTRUCTION.TXT NA Azer %appdata%BC1DDA7A65.exe “-email-[webmafia@ asia.com].AZER” INTERESTING_INFORMACION _FOR_DECRYPT.TXT webmafia@asia.com donald@trampo.info Exte %appdata%BC1DDA7A65.exe .EXTE _HELP_INSTRUCTION.TXT exte1@msgden.net exte2@protonmail.com exte3@reddithub.com Zayka & Noob %appdata%BC1DDA7A65.exe Either .ZAYKA or .NOOB _HELP_INSTRUCTION.TXT admin@zayka.pro Fig 1 Quick Heal Detection Quick Heal detects the Cryptomix ransomware sample and its dropped components with proactive as well behavior-based detection as shown below. Fig 2. Quick Heal Virus Protection Fig 3. Quick Heal Behavior-based Detection Steps to stay away from ransomware: Take regular backups of your important data. Use an antivirus software that can block infected websites and emails. Always keep the software up-to-date. Apply all recommended security updates and patches for your Operating System, and commonly targeted applications like Adobe, Microsoft Office, Java, and web browsers. Do not respond to emails coming from unknown, unwanted or unexpected sources that urge you to click on links or download attachments, no matter how urgent such emails might sound. ACKNOWLEDGMENT – Subject Matter Expert Anita Ladkat | Quick Heal Security Labs
http://blogs.quickheal.com/feed/