CryptoMix ransomware, also known as CrypMix, has had another version made. The new build is called CryptoShield 1.0, or CryptoShield for short. The infection was first spotted by ProofPoint security researcher Kafeine. The expert reported that this variant uses the EITest script and the RIG exploit kit for its distribution.
The penetration algorithm of CryptoShield 1.0 in detail
CryptoShield is spread through websites. Corrupted and hacked domains containing the EITest script are responsible for distributing the ransomware. EITest is a JavaScript attack code. It gets executed upon entering the compromised website. The attack chain proceeds to load the RIG exploit kit. This program downloads CryptoShield onto the hard drive and performs its installation.
In conclusion, the only fault of the victims is accessing a malicious website. From this point forward, the process is automated. There is nothing you can do to prevent the ransomware from entering your machine. The EITest script and the RIG exploit kit are not hosted on the same website. Upon being executed, the script launches a code which retrieves the EK from another website. The program then commences the download and install of CryptoShield.
Exploit kits are only effective when there is a weakness on the targeted computer they can use. The malicious software will look for vulnerabilities in the programs you have installed to your PC. The programs which work with online documents and websites are the most likely to be exploited. This includes the default Windows applications, Oracle Java, Adobe Flash and Reader. To protect your system from attacks, you need to keep your programs up-to-date. Do regular checkups to make sure you have the latest versions installed.
The encryption process of CryptoShield 1.0
The first task on the agenda of CryptoShield upon entering a computer is to generate a unique ID number and a private encryption key. The ID and the key are uploaded to a command and control server.
Once the necessary data has been created and stored, the encryption begins. CryptoShield scans the system for designated files and encrypts every object it finds. The ransomware targets a total of 454 formats.
CryptoShield uses a combination of AES-256 encryption algorithm and ROT-13 cipher to lock files. AES is an abbreviation for advanced encryption standard. It is one of the most common encryption patterns due to its effectiveness. It has different variations, depending on bit rate. ROT-13 stands for “rotate by 13 places”. This is a rather simple substitution cipher. When applied together with another technology, it makes the scheme more complicated.
The virus appends the .CRYPTOSHIELD suffix to the names of the encrypted files. It creates two ransom notes, titled # RESTORING FILES #.html and # RESTORING FILES #.txt. CryptoShield drops copies of them in every folder which contains encrypted files.
CryptoShield takes measures to prevent victims from recovering their files in an alternative way. The virus removes the Windows Startup Recovery function out of the equation by making a command to disable it. The ransomware also deletes the shadow volume copies of the encrypted files. This way CryptoShield eliminates the possibility of people restoring their files on their own.
The next task on the agenda of the ransomware is to display a fake alert, stating that the Explorer.exe process has encountered an error. The window is graphically similar to a system notification. There is still a way to tell that it is fake, though. The text contains grammatical and spelling errors. The word “memory” is written correct in the first instance, but wrong in the second. The other mistake is the phrase “for restore work explorer.exe” which does not make sense from a lexical standpoint. If this message appears on your screen, this means CryptoShield has managed to penetrate your system.
At this stage, the ransomware has already completed the encryption procedure. It is too late for your files. When you click the OK button to close the window, a user account control (UAC) prompt will appear. It asks the user to allow a program called WMI Commandline Utility to create an executable named SmartScreen.exe.
If you click the “Yes” button, the ransomware will open the # RESTORING FILES #.html ransom note. This is the more detailed note. It starts off by explaining what has happened to your files. The message gives instructions on how to pay the ransom and how to request the decryption key. The personal identification ID is listed at the bottom. There are three email addresses for contacting the owners of CryptoShield. The cyber criminals use the following accounts: restoring_sup@india.com, restoring_sup@computer4u.com, and restoring_reserve@india.com.
