Cryptomix Ransomware – Are they now running out of names?

cryptomix ransomware - a new member of Grenade Team

It’s named Cryptomix. A new member in ransomware family. It’s new and holds a strong high grade encryption. And now, it’s taken entry in our list of top cyber threats of the year.

What does it do?

Encrypts the files with extensions like “EMPTY”, “ERROR”, “ARENA” and recently seen “WALLET”. Then, demands ransom from the victim for decryption.

As internet says, It is first identified by MalwareHunter Team. A different but recent similar member of the same family was discovered encrypting and updating file names with extension “.ARENA”. Well, it does make me wonder if the ransomware authors are running out of names. 

Ransom note stored in a text file named as “ _HELP_INSTRUCTION.TXT”

Interesting fact about this ransomware that it carries RSA-1024 encryption keys with it. Therefore, it has the capability to encrypt victim’s system without going online.

IOC

Below are the IOCs details that will help you go, dig further and research more of its functionality:

SHA256: cc1f3392977fa6e3c8192be483382a0ffd2e2caadbf6d94759ac0c439ddb09bb
MD5: 7a4cf99ab7a08439cc517c7a1f161d78
SHA1 : 11b6fca536cbffcb5ad69a443c9f9a5b192050a2

Old Ransom Note:

Hello!
Attention! All Your data was encrypted!
For specific informartion, please send us an email with Your ID number:
[email protected]
[email protected]
[email protected]
We will help You as soon as possible!
DECRYPT-ID- number

Here is what it looks like now:

Behavioral Information:

  • Copies itself at C:\Documents and Settings\All Users\Application Data\ with some randomly generated name  eg: “BC2D64A077.exe”
  • Executes following commands:
cmd.exe" /C sc stop VVS"
cmd.exe" /C sc stop wscsvc"
cmd.exe" /C sc stop WinDefend"
cmd.exe" /C sc stop wuauserv"
cmd.exe" /C sc stop BITS"
cmd.exe" /C sc stop ERSvc"
cmd.exe" /C sc stop WerSvc"
cmd.exe" /C vssadmin.exe Delete Shadows /All /Quiet"
cmd.exe" /C bcdedit /set {default} recoveryenabled No"
cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures"

FileVersionInfo and properties

Copyright: (c) 2015 Company Icecream Apps
Product: RacePostings
Internal name: RacePostings
File version: 3.2.71.1
Description: Cmpete Yoke 20 Not
Comments: Cmpete Yoke 20 Not

Registry entries associated with the EMPTY CryptoMix Variant:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random]"="C:\ProgramData\[Random].exe""

 

References:

https://gallery.technet.microsoft.com/SQL-Database-Repair-Tool-49fc7c31

How to Decrypt .arena File Virus (CryptoMix Ransomware)

 

For me, it’s the toughest thing to define oneself. I mean, It’s always better and easy to judge others, isn’t it?
I have hundreds of thing i can tell you about me but at the same time, i’ll be hiding hundreds of thing from you. I can tell you my Office friends call me Dionysus (Google can tell you why). “Dead Can Dance Kiko” Song is enough to tell what i like. I feel happy to share something i learn everyday which i think this site is a part of it.

You may also like...