Yesterday, MalwareHunterTeam discovered a new variant of the CryptoMix ransomware that is appending the .arena extension to encrypted file names. This family of ransomware releases a new version almost every week, if not sooner, so it will be expected to see another variant released soon with a new extension.

It should also be noted that this ransomware should not be confused with the recent Crysis variant that appends the .arena extension as well. The easiest way to tell the difference between the CryptoMix and Crysis variants, is that the CryptoMix variant will turn the filenames into a hexadecimal strings as described in the next section.

This article will provide a brief summary of what has changed in this new variant. As we are always looking for weaknesses, if you are a victim of this variant and decide to pay the ransom, please send us the decryptor so we can take a look at it. You can also discuss or receive support for Cryptomix ransomware infections in our dedicated Cryptomix Help & Support Topic.

Changes in the ARENA Cryptomix Ransomware Variant

While overall the encryption methods stay the same in this variant, there have been some differences. While the ransom note filename continues to be _HELP_INSTRUCTION.TXT, it now uses the email for payment information.

ARENA CryptoMix Ransom Note
ARENA CryptoMix Ransom Note

The next noticeable change is the extension appended to encrypted files. With this version, when a file is encrypted by the ransomware, it will modify the filename and then append the .arena extension to encrypted file's name. For example, a test file encrypted by this variant has an encrypted file name of 0D0A516824060636C21EC8BC280FEA12.arena

Folder of Encrypted ARENA Files
Folder of Encrypted ARENA Files

This variant also contains 11 public RSA-1024 encryption keys that will be used to to encrypt the AES key used to encrypt a victim's files. This allows the ransomware to work completely offline with no network communication. This variants 11 public RSA keys are different from the ones used by the previous Empty Cryptomix Ransomware variant.

As this is just a cursory analysis of this new variant, if anything else is discovered, we will be sure to update this article.

How to protect yourself from the Arena CryptoMix Ransomware

In order to protect yourself from the Arena variant of CryptoMix , or from any ransomware, it is important that you use good computing habits and security software. First and foremost, you should always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack.

You should also have security software that contains behavioral detections such as Emsisoft Anti-Malware or Malwarebytes.  Regardless of the security software you use, make sure it contains behavioral detections so you do not have to rely on signatures or heuristics.

Last, but not least, make sure you practice the following good online security habits, which in many cases are the most important steps of all:

  • Backup, Backup, Backup!
  • Do not open attachments if you do not know who sent them.
  • Do not open attachments until you confirm that the person actually sent you them,
  • Scan attachments with tools like VirusTotal.
  • Make sure all Windows updates are installed as soon as they come out! Also make sure you update all programs, especially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly exploited by malware distributors. Therefore it is important to keep them updated.
  • Make sure you use have some sort of security software installed.
  • Use hard passwords and never reuse the same password at multiple sites.

For a complete guide on ransomware protection, you visit our How to Protect and Harden a Computer against Ransomware article.

Related Articles:

The Week in Ransomware - November 9th 2018 - Mostly Dharma Variants

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

The Week in Ransomware - November 2nd 2018 - RaaS, DiskCryptor, & More

New Ransomware using DiskCryptor With Custom Ransom Message

CommonRansom Ransomware Demands RDP Access to Decrypt Files


File Hashes:

SHA256: 3d615c210addb2672e40b291c2bf7f322955e7df475512a60d682ef1110ff511

Filenames associated with the ARENA  Cryptomix Variant:


Registry entries associated with the ARENA CryptoMix Variant:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random]"="C:\ProgramData\[Random].exe""

ARENA Ransom Note Text:

All your files have been encrypted! 
If you want to restore them, write us to the e-mail : 
Write this ID in the title of your message DECRYPT-ID-[id] number number In case of no answer in 48 hours write us to theese e-mails : 

You have to pay for decryption in Bitcoins. 
The price depends on how fast you write to us. 
After payment we will send you the decryption tool that will decrypt all your files. 
Free decryption as guarantee Before paying you can send us up to 1 files for free decryption. 
The total size of files must be less than 2 Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) 
How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. 
Also you can find other places to buy Bitcoins and beg

Emails Associated with the ARENA Ransomware:

Executed Commands:

sc stop wscsvc
sc stop WinDefend
sc stop wuauserv
sc stop BITS
sc stop ERSvc
sc stop WerSvc
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\cmd.exe" /C vssadmin.exe Delete Shadows /All /Quiet

Bundled Public RSA-1024 Keys:

-----END PUBLIC KEY-----

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCAcL2bv8UxRqZ6DD5VHvsNCAh/ e18CEHVeff1kfCDIB4D9q3/Yu59Mq9P5H7E94m0YlN57eZmJ7uiJth/6/MExv+uw L5izNB/b5CKMuSaqqUsQY27P3yTIfSyWrqQ6Hk2TDljytlvceSFwpWdEFn6B5a5p KnRMzKMSre7zrIUm+QIDAQAB
-----END PUBLIC KEY-----

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCK3KhGZ0Tp5NnWzTT8qQSoXNBf noIUpn3M1ubJf8Z6lb2xGWIYPDpmF+H4yKTPZ20vc49SQ6Dbrdwc0/6TzykOMdOv 9BJWYT75kwEufiqv0Gy9ZHKhlpAXJkrWoOMonFqS4T6HOTdkiN+shadQt299bUlu f+TqSqhkhz6Cp9IHbwIDAQAB
-----END PUBLIC KEY-----

-----END PUBLIC KEY-----

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCC6OGfuH1Ht732u4UomMTGb1Kd uQawHQUvhMYzFrWK3x5IMCXnkjJCfGEBcF0FqIMTiYQsY4v2I/71nntIUFLn/usO McdJMMoXCZcErvV8PFRYz7p3QEqKnleUJt10ncib7pZkgqfP5cSx7xymJnj+/fZH 9yVmOlshSkZqNbt6dwIDAQAB
-----END PUBLIC KEY-----

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCk9ZSRC7RxXXihK28uJzFY5iAY 2mgaUU16jGijYai5rZGCt5e9+e412HuPlQYvueOsK7bkyCKlnITbYCzYDOXv+k++ Kk9qi7atez0EcPT77cSrWoC/ENFsmdX/kznw3nbxjyVkoSZzFh+MPM50xCl1f05b eHUwrrAaI82GTtQ7DQIDAQAB
-----END PUBLIC KEY-----

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCHAlC0tOBzqZxJbBpF9qi7jVIz GKmop5KMyZ0SmtShlC4ily37+/TllLq0GWfcUlmepUogmuebAHYFFxblH9PaNCwv MNo+HjMJBLHBchvH4buKtmf/ctaGf3CxFmegE9vG/ne9JiSx6IGe5sK1KZbCPqSO X3IpyKirdSCn33QqWwIDAQAB
-----END PUBLIC KEY-----

-----END PUBLIC KEY-----

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9n6bm9GC3UQ8OOB+ahHYuIS3k jkUBOXyKEJKaiebSShdi5pUDAxiObWcks9Ql9Vb/z0S+6h0Ot1iOH9jUQlWlQ8Kt SOoli2eg/Jq42PWL4qW7ejc6qO8KmPvMtsZEqrcwC9Xv0lpx50Xp+cXXf+DUIhhS 7DOwxl7QGcts+oGkpwIDAQAB
-----END PUBLIC KEY-----

-----END PUBLIC KEY-----

-----END PUBLIC KEY-----