Test your knowledge!Take a quiz to access yourself.

Cryptomix Ransomware – Are they now running out of names?

It’s named Cryptomix. A new member in ransomware family. It’s new and holds a strong high grade encryption. And now, it’s taken entry in our list of top cyber threats of the year.

What does it do?

Encrypts the files with extensions like “EMPTY”, “ERROR”, “ARENA” and recently seen “WALLET”. Then, demands ransom from the victim for decryption.

As internet says, It is first identified by MalwareHunter Team. A different but recent similar member of the same family was discovered encrypting and updating file names with extension “.ARENA”. Well, it does make me wonder if the ransomware authors are running out of names. 

Ransom note stored in a text file named as “ _HELP_INSTRUCTION.TXT”

Interesting fact about this ransomware that it carries RSA-1024 encryption keys with it. Therefore, it has the capability to encrypt victim’s system without going online.

IOC

Below are the IOCs details that will help you go, dig further and research more of its functionality:

SHA256: cc1f3392977fa6e3c8192be483382a0ffd2e2caadbf6d94759ac0c439ddb09bb
MD5: 7a4cf99ab7a08439cc517c7a1f161d78
SHA1 : 11b6fca536cbffcb5ad69a443c9f9a5b192050a2

Old Ransom Note:

Hello!
Attention! All Your data was encrypted!
For specific informartion, please send us an email with Your ID number:
[email protected]
[email protected]
[email protected]
We will help You as soon as possible!
DECRYPT-ID- number

Here is what it looks like now:

Behavioral Information:

  • Copies itself at C:\Documents and Settings\All Users\Application Data\ with some randomly generated name  eg: “BC2D64A077.exe”
  • Executes following commands:
cmd.exe" /C sc stop VVS"
cmd.exe" /C sc stop wscsvc"
cmd.exe" /C sc stop WinDefend"
cmd.exe" /C sc stop wuauserv"
cmd.exe" /C sc stop BITS"
cmd.exe" /C sc stop ERSvc"
cmd.exe" /C sc stop WerSvc"
cmd.exe" /C vssadmin.exe Delete Shadows /All /Quiet"
cmd.exe" /C bcdedit /set {default} recoveryenabled No"
cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures"

FileVersionInfo and properties

Copyright: (c) 2015 Company Icecream Apps
Product: RacePostings
Internal name: RacePostings
File version: 3.2.71.1
Description: Cmpete Yoke 20 Not
Comments: Cmpete Yoke 20 Not

Registry entries associated with the EMPTY CryptoMix Variant:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random]"="C:\ProgramData\[Random].exe""

 

References:

https://gallery.technet.microsoft.com/SQL-Database-Repair-Tool-49fc7c31

How to Decrypt .arena File Virus (CryptoMix Ransomware)

 

Add a Comment

Your email address will not be published. Required fields are marked *