A gang of crooks calling themselves the Charity Team has created a brand new type of ransomware. By their invention, the hackers are trying to encourage users to pay the ransom note by promising to give some of the money to a children’s charity organization.
According to Heimdal Security researchers, the new ransomware first appeared last week, though some samples of the same ransomware were noted more than a month ago.
After taking a closer look at the ransomware, the security researcher Nyxbone said that this threat is a combination of other ransomware families, such as CryptoWall 3.0, CryptoWall 4.0 and the more recent CryptXXX. For that reason, the researcher called the ransomware CryptMix.
Usually, CryptMix infections occur via spam email, which contains links to malicious websites. Users who access these websites are targeted with exploit kits that leverage vulnerabilities in the users’ browsers and their plugins to install CryptMix.
After CryptMix reaches a victim’s PC, it automatically starts the encryption process. The ransomware is said to be unique due to the fact that it searches and encrypts a whopping 862 different file types.
CryptMix infections can be identified by the .code file extension that they add at the end of each encrypted file.
Once the encryption process ends, CryptMix adds ransom notes on the infected computers. According to Nyxbone, the ransomware borrows the HTML ransom note from CryptXXX and the text-based ransom note from CryptoWall.
The ransom note informs the PC user that their files were locked with an RSA-2048 algorithm, gives them an ID, and urges them to send an email to one of two email addresses (xoomx[@]dr.com and xoomx[@]usa.com) so that they can recover their files.
The hackers answer the victim’s email and provide them with a link and a password to the One Time Secret service – a website which lets users share password-protected messages.
The above-mentioned website contains the actual message from the CryptMix creator, which tells the victim that they have to pay 5 Bitcoin (approx. $2,200) to recover their files.
When compared to what other ransomware families ask for, 5 Bitcoin turns out to be an excessive amount. Nevertheless, the CryptMix author is not a novice because he uses two tricks to “convince” users to pay.
First, he tries convincing the victim that some of the ransom money will go to a children’s charity, and after that he threatens the user that the ransom sum will double in the next 24 hours if they don’t pay immediately.
What is most interesting in this case though, if the fact that somewhere in the ransom message, the hacker promises three years of “FREE tech support,” as if any user ever accepted tech support from a ransomware creator.
Unfortunately, there’s no method for decrypting files locked with CryptMix at this point, so users are helpless to do anything else.
