It’s named Cryptomix. A new member in ransomware family. It’s new and holds a strong high grade encryption. And now, it’s taken entry in our list of top cyber threats of the year.
What does it do?
Encrypts the files with extensions like “EMPTY”, “ERROR”, “ARENA” and recently seen “WALLET”. Then, demands ransom from the victim for decryption.
As internet says, It is first identified by MalwareHunter Team. A different but recent similar member of the same family was discovered encrypting and updating file names with extension “.ARENA”. Well, it does make me wonder if the ransomware authors are running out of names.
Ransom note stored in a text file named as “ _HELP_INSTRUCTION.TXT”
Interesting fact about this ransomware that it carries RSA-1024 encryption keys with it. Therefore, it has the capability to encrypt victim’s system without going online.
IOC
Below are the IOCs details that will help you go, dig further and research more of its functionality:
SHA256: cc1f3392977fa6e3c8192be483382a0ffd2e2caadbf6d94759ac0c439ddb09bb MD5: 7a4cf99ab7a08439cc517c7a1f161d78 SHA1 : 11b6fca536cbffcb5ad69a443c9f9a5b192050a2
Old Ransom Note:
Hello! Attention! All Your data was encrypted! For specific informartion, please send us an email with Your ID number: [email protected] [email protected] [email protected] We will help You as soon as possible! DECRYPT-ID- number
Here is what it looks like now:
Behavioral Information:
- Copies itself at C:\Documents and Settings\All Users\Application Data\ with some randomly generated name eg: “BC2D64A077.exe”
- Executes following commands:
cmd.exe" /C sc stop VVS" cmd.exe" /C sc stop wscsvc" cmd.exe" /C sc stop WinDefend" cmd.exe" /C sc stop wuauserv" cmd.exe" /C sc stop BITS" cmd.exe" /C sc stop ERSvc" cmd.exe" /C sc stop WerSvc" cmd.exe" /C vssadmin.exe Delete Shadows /All /Quiet" cmd.exe" /C bcdedit /set {default} recoveryenabled No" cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures"
FileVersionInfo and properties
Copyright: (c) 2015 Company Icecream Apps Product: RacePostings Internal name: RacePostings File version: 3.2.71.1 Description: Cmpete Yoke 20 Not Comments: Cmpete Yoke 20 Not
Registry entries associated with the EMPTY CryptoMix Variant:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random]"="C:\ProgramData\[Random].exe""
References:
https://gallery.technet.microsoft.com/SQL-Database-Repair-Tool-49fc7c31