Two CryptoMix Ransomware variants emerged in a few days, a circumstance that suggests the operators behind the threat are very active.
Malwarebytes’ researcher Marcelo Rivero has spotted a new variant of the CryptoMix ransomware.
#CryptoMix #Ransomware adds ext ".EXTE" to encrypted files, and the note "_HELP_INSTRUCTION.TXT" – md5: 1059676fbb9d811e88af96716cc1ffb5 pic.twitter.com/Ha4jeRMPEv
— Marcelo Rivero (@MarceloRivero) July 13, 2017
The CryptoMix Malware family was spotted more than a year ago, numerous improvements were added across the time, except for the encryption method that remained the same.
Since the beginning of this year, researchers discovered at least three other CryptoMix variants in the wild, Wallet, CryptoShield, and Mole02.
The last variant observed by Rivero appends the ‘.EXTE’ extension to encrypted files.
Once the ransomware is launched on a computer, it drops a file in the ApplicationData folder and the ransom note in the targeted files’ folders. The ransomware creates a unique ID for each system and sends it to the C&C server.
Authors of the malware ask victims to pay the ransom in Bitcoins and use the email as a communication channel with the victims.
“While overall the encryption methods stay the same in this variant, there have been some differences. First and foremost, we have a new ransom note with a file name of _HELP_INSTRUCTION.TXT. ” wrote the researchers Lawrence Abrams from BleepingComputer.
“The next noticeable change is the extension appended to encrypted files. With this version, when a file is encrypted by the ransomware, it will modify the filename and then append the .EXTE extension to encrypted file’s name. For example, an test file encrypted by this variant has an encrypted file name of 32A1CD301F2322B032AA8C8625EC0768.EXTE.”
Lawrence also remarked that a different variant of the CryptoMix ransomware was observed appending the
. AZER extension to the encrypted files.
Researchers observed that this variant was using a different ransom not ( _INTERESTING_INFORMACION_FOR_DECRYPT.TXT) and different email addressed to receive communications from the victims.
The AZER CryptoMix ransomware is the first malware of the family that works completely offline, its code included ten different RSA-1024 public encryption keys and uses one of them to encrypt the AES key it uses to encrypt the files.
“Last, but not least, this version performs no network communication and is completely offline. It also embeds ten different RSA-1024 public encryption keys, which are listed below. One of these keys will be selected to encrypt the AES key used to encrypt a victim’s files. This is quite different compared to the Mole02 variant, which only included one public RSA-1024 key.” states BleepingComputer.
The same feature was also implemented in the latest EXTE version, the experts observed it also embeds the ten public RSA keys allowing the threat working in absence of connection.
The discovery of two variants of the CryptoMix ransomware in the wild in a few days suggests the operators behind the threat are very active.