Security experts have noticed a new version of the CryptoMix ransomware, which appends the .EXTE extension to the encrypted files.
The CryptoMix ransomware family was spotted about a year ago and it has had a number of updates since its appearance, however, only several major changes have been added to it indeed. Despite the fact that its extension and ransom note suffered modifications, the encryption method of the virus has hardly been changed over the time.
Being installed on the user’s computer, the CryptoMix ransomware drops a file in the ApplicationData folder, while at the same time, dropping a ransom note in the targeted files’ folders.
Before it starts encrypting files using the AES encryption, the ransomware adds a series of registry keys, creates a unique ID and sends it to a remote location.
The ransom note which CryptoMix provides, states that users should contact the malware creators via email addresses, and asks victims to pay a ransom in Bitcoins.
The latest version of the CryptoMix ransomware was found by Marcelo Rivero who claims that the virus uses the same encryption method as previous iterations, though, it does have suffered some minor updates.
The new variant of CryptoMix adds the .EXTE extension to the encrypted files’ name, using a new ransom note, called _HELP_INSTRUCTION.TXT (last year, CryptoMix used the HELP_YOUR_FILES.TXT ransom note).
In the latest campaign, the ransomware victims are required to contact the attackers at exte1@msgden.net, exte2@protonmail.com, and exte3@reddithub.com to receive detailed payment information.
Since the beginning of this year, at least three other variants of CryptoMix have been regisreted: Wallet, CryptoShield, and Mole02. Recently, security researchers noticed another malware version, appending the .AZER extension to the encrypted files and using the _INTERESTING_INFORMACION_FOR_DECRYPT.TXT ransom note and webmafia@asia.com and donald@trampo.info email addresses.
The AZER CryptoMix iteration does not perform any network communication and it’s completely offline. This malware embeds ten different RSA-1024 public encryption keys and uses one of them to encrypt the AES key it uses to encrypt the files instead.
The ability of the EXTE version to embed the ten public RSA keys means that the virus can work offline too, and the fact that the two malware variants appeared one week of each other shows that their creator does work hard.
