Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CryptoMix or CrypMix Ransomware Help Topic (.REVENGE & .Cryptoshield extensions)


  • Please log in to reply
47 replies to this topic

#1 CodeRansom

CodeRansom

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 22 April 2016 - 02:47 AM

Hello,

 

Server hit with new variant that has changed file extension to id_7cb3b7bc1b34fa_email_xoomx@dr.com_.code and seems to have focussed on Office documents. The file Backup Instruction.exe was found in each of the encrypted folders as far as I can tell. 

 

See https://www.virustotal.com/en/file/004cdc6996225f244aef124edc72f90434a872b3d4fa56d5ebc2655473733aef/analysis/ and https://www.hybrid-analysis.com/sample/004cdc6996225f244aef124edc72f90434a872b3d4fa56d5ebc2655473733aef?environmentId=4 which mentions the IP address of the CC server.

 

UPDATE: I think the payload file is in %appdata%\Local\Temp\Low\9985.tmp.exe

 

UPDATE 2: Looking at the machine where this came from, there is are two entries at startup for (as shown in MSConfig) WZZKIXq, publisher SynapicosSoft, Corporation. and AdobeFlashPlayerSoftWare publisher unknown.  The registry (HKCU\Software\Microsoft\Windows\Run) has these two as Adobe Reader Updater SoftWare (pointing to this 9985.tmp.exe file above) and AdobeFlashPlayersSoftWare (pointing to a AdobeFlashPlayer_7cb3b7bc1b34fa.exe) which matches the string inserted into the new file extension above. It could be that is has come down as a fake Adobe Flash player update?

 

Thanks


Edited by quietman7, 31 August 2016 - 01:24 PM.


BC AdBot (Login to Remove)

 


m

#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:02:00 AM

Posted 22 April 2016 - 09:07 AM

Hello,
 
Server hit with new variant that has changed file extension to id_7cb3b7bc1b34fa_email_xoomx@dr.com_.code and seems to have focussed on Office documents. The file Backup Instruction.exe was found in each of the encrypted folders as far as I can tell. 
 
See https://www.virustotal.com/en/file/004cdc6996225f244aef124edc72f90434a872b3d4fa56d5ebc2655473733aef/analysis/ and https://www.hybrid-analysis.com/sample/004cdc6996225f244aef124edc72f90434a872b3d4fa56d5ebc2655473733aef?environmentId=4 which mentions the IP address of the CC server.
 
UPDATE: I think the payload file is in %appdata%\Local\Temp\Low\9985.tmp.exe
 
UPDATE 2: Looking at the machine where this came from, there is are two entries at startup for (as shown in MSConfig) WZZKIXq, publisher SynapicosSoft, Corporation. and AdobeFlashPlayerSoftWare publisher unknown.  The registry (HKCU\Software\Microsoft\Windows\Run) has these two as Adobe Reader Updater SoftWare (pointing to this 9985.tmp.exe file above) and AdobeFlashPlayersSoftWare (pointing to a AdobeFlashPlayer_7cb3b7bc1b34fa.exe) which matches the string inserted into the new file extension above. It could be that is has come down as a fake Adobe Flash player update?
 
Thanks

Can you upload the AdobeFlashPlayer_7cb3b7bc1b34fa.exe to virustotal too.
 
It's possible that it has, can't say for sure but the malware definitely seems to be posing as such to look legit. If you need help cleaning the computer, let us know and we can redirect you to the correct forum. We'll have a look into it.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 Struppigel

Struppigel

    Karsten Philipp Boris Hahn, G DATA Malware Analyst


  • Malware Response Team
  • 230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:00 AM

Posted 02 May 2016 - 09:25 AM

The ransomware is called CryptoMix. See here: http://www.nyxbone.com/malware/CryptoMix.html



#4 CodeRansom

CodeRansom
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 04 May 2016 - 02:34 AM

Hi,

 

I wasn't able to track down this file, but it doesn't look like any AV removed it in the process of scanning as far as I can tell which is odd. It looks like this is the CryptoMix variant as stated above. 

 

Thanks



#5 NINTR

NINTR

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 31 August 2016 - 06:46 PM

I was just hit by it, too. This is my third issue with an encryption virus in the last year. It's ridiculous. I never download ANYTHING and I still get them, so it has to be something that is infiltrating my system without my acknowledgement.



#6 cybercynic

cybercynic

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:10:00 PM

Posted 31 August 2016 - 07:09 PM

As you can see, there is very little information available on the forum regarding CryptoMix - It appears to be relatively uncommon. From what I have found, it is not currently decryptable.

 

You should backup the encrypted files in hopes of a future solution.

 

You can clean your computer with Malwarebytes (free edition) / Hitman Pro (free30 trial) / Emsisoft - 2 of 3 would be good. 

 

As far as re-infections go, make sure your AV is up-to-date, make sure all Windows updates have been installed, make sure that Java, Adobe Flash, Adobe Reader, etc., have the latest updates if you use them - they are not terribly secure programs.

 

Also, make sure you avoid dodgy websites, and be especially leery of email attachments - even if they appear to come from friends. Lots of ransomwares sneak in this way (it's called social engineering). Finally, don't ever click on links in emails - you could be led down a dark alley.

 

This is all I can do for you - I'm not one of the resident gurus, here. I'm sure if they have something to add, they'll pipe up. 

 

Good Luck!!!


We are drowning in information - and starving for wisdom.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,953 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:00 PM

Posted 31 August 2016 - 07:23 PM

I had these links in my notes so I will post them here.

CryptoMix Ransomware: What You Should Know
#cryptomix
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 espritlibre

espritlibre

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 20 September 2016 - 05:46 PM

Got this ransomware today. -_-

I think I've just seen the infected email using Thunderbird.

I've not opened the attached .zip file, I just deleted the email.

I can't explain how it has been executed!

 

Any news about decrypting files?


Edited by espritlibre, 20 September 2016 - 05:47 PM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,953 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:00 PM

Posted 20 September 2016 - 06:17 PM

Nothing new that I am aware of.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 goodsamaritan

goodsamaritan

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 25 September 2016 - 11:46 PM

As mentioned in my other topic (

When we emailed the criminal about this, he said it should work and said we should send him a test file and he'll see what he can do.

After sending him one we have not gotten a response since (this was in June).

 

I have the decryption tool, the unencrypted file and the encrypted file - I'm no programmer but I can't understand how between those 3 things some programmer can't figure out a proper decryption tool for all of us hit by this ransomware.

 

Any of the BC mods that have the technical skill to do this?



#11 goodsamaritan

goodsamaritan

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 02 October 2016 - 01:58 AM

Anyone? Willing to pay - we are desperate.



#12 b3nste1n

b3nste1n

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 14 October 2016 - 01:48 PM

Please help! anyone? got hit with this and the criminals are asking for 10 bitcoins!  :ranting:



#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,953 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:00 PM

Posted 14 October 2016 - 01:56 PM

Did you submit samples to ID Ransomware for confirmation?

As I advised in your other topic, you could be dealing with Zeta Ransomware.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 b3nste1n

b3nste1n

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 14 October 2016 - 02:02 PM

Did you submit samples to ID Ransomware for confirmation?

As I advised in your other topic, you could be dealing with Zeta Ransomware.

 

Yes and it ID'd it as the CryptoMix variant 

 

thanks 



#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,953 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:00 PM

Posted 14 October 2016 - 02:06 PM

Ok...then I will close your other topic to avoid confusion.

Unfortunately, I am not aware of any way to decrypt CryptoMix encrypted data without paying the ransom.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users