A new CryptoMix, or CrypMix, variant called CryptoShield 1.0 Ransomware has been discovered by ProofPoint security researcher Kafeine being distributed via EITest and the RIG exploit kit.

As a note, in this article I will be calling this ransomware CryptoShield as that will most likely be how the victim's refer to it. It is important to remember, though, that this ransomware is not a brand new infection, but rather a variant of the CryptoMix ransomware family.

How Victim's Become Infected with CryptoShield 1.0

CryptoShield is being distributed through sites that have been hacked or compromised so that when a visitor goes to the site, they will encounter the EITest attack chain. EITest is a JavaScript attack code that is injected into sites so that it will be executed by visitors. In the attack chain noted by Kafeine, EITest will load the RIG exploit kit that will further download and install the CryptoShield ransomware on the visitors computer.

This attack can be seen below where a visitor goes to the compromised site and encounter the EITest script.  This script then launches code from another site that activates the exploit kit in order to install CryptoShield. 

Rig Exploit Kit
Rig Exploit Kit Traffic
Source: Kafeine

As exploit kits use vulnerabilities in installed program to infect a computer, it is important that users make sure that all programs have the current updates installed. This is especially true for those programs that interact with online documents or sites. This means that updates for programs like Adobe Flash & Reader, Oracle Java, and Windows should always be installed when they are made available.

How the CryptoShield 1.0 Variant Encrypts a Victim's Files

Once the ransomware executable is downloaded and executed on the victim's computer, it will generate a unique ID for the victim and an encryption key. The infection will then upload the unique ID and private encryption key to its Command & Control server. It will then proceed to scan the computer for targeted files and encrypt them.

The list of extensions targeted by CryptoShield are:

.ACCDB, .MDB, .MDF, .DBF, .VPD, .SDF, .SQLITEDB, .SQLITE3, .SQLITE, .SQL, .SDB, .DOC, .DOCX, .ODT, .XLS, .XLSX, .ODS, .PPT, .PPTX, .ODP, .PST, .DBX, .WAB, .TBK, .PPS, .PPSX, .PDF, .JPG, .TIF, .PUB, .ONE, .RTF, .CSV, .DOCM, .XLSM, .PPTM, .PPSM, .XLSB, .DOT, .DOTX, .DOTM, .XLT, .XLTX, .XLTM, .POT, .POTX, .POTM, .XPS, .WPS, .XLA, .XLAM, .ERBSQL, .SQLITE-SHM, .SQLITE-WAL, .LITESQL, .NDF, .OST, .PAB, .OAB, .CONTACT, .JNT, .MAPIMAIL, .MSG, .PRF, .RAR, .TXT, .XML, .ZIP, .1CD, .3DS, .3G2, .3GP, .7Z, .7ZIP, .AOI, .ASF, .ASP, .ASPX, .ASX, .AVI, .BAK, .CER, .CFG, .CLASS, .CONFIG, .CSS, .DDS, .DWG, .DXF, .FLF, .FLV, .HTML, .IDX, .JS, .KEY, .KWM, .LACCDB, .LDF, .LIT, .M3U, .MBX, .MD, .MID, .MLB, .MOV, .MP3, .MP4, .MPG, .OBJ, .PAGES, .PHP, .PSD, .PWM, .RM, .SAFE, .SAV, .SAVE, .SRT, .SWF, .THM, .VOB, .WAV, .WMA, .WMV, .3DM, .AAC, .AI, .ARW, .C, .CDR, .CLS, .CPI, .CPP, .CS, .DB3, .DRW, .DXB, .EPS, .FLA, .FLAC, .FXG, .JAVA, .M, .M4V, .MAX, .PCD, .PCT, .PL, .PPAM, .PS, .PSPIMAGE, .R3D, .RW2, .SLDM, .SLDX, .SVG, .TGA, .XLM, .XLR, .XLW, .ACT, .ADP, .AL, .BKP, .BLEND, .CDF, .CDX, .CGM, .CR2, .CRT, .DAC, .DCR, .DDD, .DESIGN, .DTD, .FDB, .FFF, .FPX, .H, .IIF, .INDD, .JPEG, .MOS, .ND, .NSD, .NSF, .NSG, .NSH, .ODC, .OIL, .PAS, .PAT, .PEF, .PFX, .PTX, .QBB, .QBM, .SAS7BDAT, .SAY, .ST4, .ST6, .STC, .SXC, .SXW, .TLG, .WAD, .XLK, .AIFF, .BIN, .BMP, .CMT, .DAT, .DIT, .EDB, .FLVV, .GIF, .GROUPS, .HDD, .HPP, .M2TS, .M4P, .MKV, .MPEG, .NVRAM, .OGG, .PDB, .PIF, .PNG, .QED, .QCOW, .QCOW2, .RVT, .ST7, .STM, .VBOX, .VDI, .VHD, .VHDX, .VMDK, .VMSD, .VMX, .VMXF, .3FR, .3PR, .AB4, .ACCDE, .ACCDR, .ACCDT, .ACH, .ACR, .ADB, .ADS, .AGDL, .AIT, .APJ, .ASM, .AWG, .BACK, .BACKUP, .BACKUPDB, .BANK, .BAY, .BDB, .BGT, .BIK, .BPW, .CDR3, .CDR4, .CDR5, .CDR6, .CDRW, .CE1, .CE2, .CIB, .CRAW, .CRW, .CSH, .CSL, .DB_JOURNAL, .DC2, .DCS, .DDOC, .DDRW, .DER, .DES, .DGC, .DJVU, .DNG, .DRF, .DXG, .EML, .ERF, .EXF, .FFD, .FH, .FHD, .GRAY, .GREY, .GRY, .HBK, .IBANK, .IBD, .IBZ, .IIQ, .INCPAS, .JPE, .KC2, .KDBX, .KDC, .KPDX, .LUA, .MDC, .MEF, .MFW, .MMW, .MNY, .MONEYWELL, .MRW, .MYD, .NDD, .NEF, .NK2, .NOP, .NRW, .NS2, .NS3, .NS4, .NWB, .NX2, .NXL, .NYF, .ODB, .ODF, .ODG, .ODM, .ORF, .OTG, .OTH, .OTP, .OTS, .OTT, .P12, .P7B, .P7C, .PDD, .MTS, .PLUS_MUHD, .PLC, .PSAFE3, .PY, .QBA, .QBR, .QBW, .QBX, .QBY, .RAF, .RAT, .RAW, .RDB, .RWL, .RWZ, .S3DB, .SD0, .SDA, .SR2, .SRF, .SRW, .ST5, .ST8, .STD, .STI, .STW, .STX, .SXD, .SXG, .SXI, .SXM, .TEX, .WALLET, .WB2, .WPD, .X11, .X3F, .XIS, .YCBCRA, .YUV, .MAB, .JSON, .MSF, .JAR, .CDB, .SRB, .ABD, .QTB, .CFN, .INFO, .INFO_, .FLB, .DEF, .ATB, .TBN, .TBB, .TLX, .PML, .PMO, .PNX, .PNC, .PMI, .PMM, .LCK, .PM!, .PMR, .USR, .PND, .PMJ, .PM, .LOCK, .SRS, .PBF, .OMG, .WMF, .SH, .WAR, .ASCX, .K2P, .APK, .ASSET, .BSA, .D3DBSP, .DAS, .FORGE, .IWI, .LBF, .LITEMOD, .LTX, .M4A, .RE4, .SLM, .TIFF, .UPK, .XXX, .MONEY, .CASH, .PRIVATE, .CRY, .VSD, .TAX, .GBR, .DGN, .STL, .GHO, .MA, .ACC, .DB

When CryptoShield encounters a targeted file it will encrypt it using AES-256 encryption, encrypt the filename using ROT-13, and then append the .CRYPTOSHIELD extension to the encrypted file. For example, a file called test.jpg would be encrypted and renamed as grfg.wct.CRYPTOSHIELD.  You can decrypt the filenames by using any ROT-13 encryptor, such as rot13.com.

In each folder that CryptoShield encrypts a file, it will also create ransom notes named # RESTORING FILES #.HTML and # RESTORING FILES #.TXT.

Encrypted Files
Encrypted Files

During this process, the ransomware will issue the following commands to disable the Windows startup recovery and to clear the Windows Shadow Volume Copies as shown below.

cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\cmd.exe" /C vssadmin.exe Delete Shadows /All /Quiet
"C:\Windows\System32\cmd.exe" /C net stop vss

CryptoShield will then display a fake alert stating that there was an application error in Explorer.exe. At first, I was not sure if this was an error produced by the ransomware or just a crashing explorer.exe. As you read the alert closely, though, you can see spelling mistakes such as "momory" and an odd request that you should click on the Yes button in the next Window "for restore work explorer.exe". The broken English really should have been the giveaway for me.

Fake Explorer.exe Alert
Fake Explorer.exe Alert

Once you press OK on the above prompt, you will be presented with a User Account Control prompt, which asks if you wish to allow the command "C:\Windows\SysWOW64\wbem\WMIC.exe" process call create "C:\Users\User\SmartScreen.exe" to execute. This explains why the previous alert was being shown; to convince a victim that they should click on the Yes button in the below UAC prompt.

UAC Prompt for the Launch of the Smart Screen Executable
UAC Prompt for the Launch of the SmartScreen.exe Executable

Once a victim clicks Yes, the ransomware will start again and display the # RESTORING FILES #.HTML ransom note, which is shown below.

HTML Ransom Note
HTML Ransom Note

This ransom note contains information regarding what happened to your files, a personal identification ID, and three email addresses that can be used to contact the ransom developer for payment instructions. The current email addresses are restoring_sup@india.com, restoring_sup@computer4u.com, and restoring_reserve@india.com.

Unfortunately, as already stated there is no way to currently decrypt files encrypted by CryptoShield for free. For those who wish to discuss this ransomware or receive support, you can always use our CryptoMix or CrypMix Ransomware Help Topic (.code, .Cryptoshield, scl extension).

File Associated with the CryptoShield CrypMix Variant:

C:\ProgramData\MicroSoftWare\
C:\ProgramData\MicroSoftWare\SmartScreen\
C:\ProgramData\MicroSoftWare\SmartScreen\SmartScreen.exe
%AppData%\Roaming\1FAAXB2.tmp
[encrypted_file_name].CRYPTOSHIELD
# RESTORING FILES #.HTML
# RESTORING FILES #.TXT

Registry Entries Associated with the CryptoShield CrypMix Variant:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Windows SmartScreen" = "C:\ProgramData\MicroSoftWare\SmartScreen\SmartScreen.exe"

Hashes:

SHA256: bb65f0bf3d827958ae447c80ba824e214601094d4dc860b9decc08caae7dd89c

Network Communication:

45.76.81.110/test_site_scripts/moduls/get_info.php

Text of Ransom Note:

NOT YOUR LANGUAGE? USE http://translate.google.com

What happened to you files?
All of your files were encrypted by a strong encryption with RSA-2048 using CryptoShield 1.0.
More information about the encryption keys using RSA-2048 can be found here: https://en.wikipedia.org/wiki/RSA_(cryptosystem)

How did this happen ?
Specially for your PC was generated personal RSA-2048 KEY, both public and private.
ALL your FILES were encrypted with the public key, which has been transferred to your computer via the Internet.
Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.

What do I do ?
So, there are two ways you can choose: wait for a miracle and get your price doubled, or start send email now for more specific instructions, and restore your data easy way.
If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.

To receive your private software:
Contact us by email , send us an email your (personal identification) ID number and wait for further instructions.
Our specialist will contact you within 24 hours.
For you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. 
This will be your guarantee.

Please do not waste your time! You have 72 hours only! After that The Main Server will double your price!
So right now You have a chance to buy your individual private SoftWare with a low price!

CONTACTS E-MAILS:
restoring_sup@india.com - SUPPORT;
restoring_sup@computer4u.com - SUPPORT RESERVE FIRST;
restoring_reserve@india.com - SUPPORT RESERVE SECOND;

ID (PERSONAL IDENTIFICATION): [id]

Text of Fake Explorer.exe Alert:

explorer.exe - Application Error

The instruction at 0xe9c71f6c referenced memory at 0x46c8f91a. The momory could not be read.

Click on Yes in the next windows for restore work explorer.exe

CryptoShield 1.0 Associated Emails:

restoring_sup@india.com - SUPPORT;
restoring_sup@computer4u.com - SUPPORT RESERVE FIRST;
restoring_reserve@india.com - SUPPORT RESERVE SECOND;