Ransomware cases usually follow the same pattern of infection and behavior. However, a recently detected ransomware proves that ransomware authors can be creative, too. The so-called CryptMix ransomware is operated by a group of individuals calling themselves the Charity Team. The group claims that if the ransom is paid, some of it will go to a children’s charity organization.
|Short Description||The ransomware encrypts files with the RSA-2048 and appends a .code encryption.|
|Symptoms||Files are encrypted and become inaccessible. A ransom note with instructions for paying the ransom shows is displayed.|
|Distribution Method||Spam emails, drive-by downloads, exploit kits|
|Detection Tool|| See If Your System Has Been Affected by CryptMix Ransomware |
Malware Removal Tool
|User Experience||Join our forum to Find A Solution about CryptMix Ransomware.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Why “CryptMix” Ransomware?
The name derives from the ransomware’s analysis. Columbian researcher Nyxbone has said that the threat is a combination of ransomware families such as CryptoWall 3.0, CryptoWall 4.0 and CryptXXX, hence “CryptMix”.
CryptMix Ransomware Distribution Methods
Researchers report that the ransomware is downloaded to a victim’s machine via drive-by downloads, initiated on corrupted websites. The chain of infection begins with a spam email containing links to bad pages. If the user is lured into clicking on any of the links, he will be redirected to a page that hosts an exploit kit. The EK leverages security flaws in browser plugins.
To summarize, CryptMix uses the following methods to propagate itself:
- Spam emails;
- Corrupted links;
- Corrupted websites;
- Exploit kits;
- Browser vulnerabilities.
CryptMix Ransomware Technical Overview
Once CryptMix is installed on a system, the encryption process starts automatically. The ransomware targets and encrypts 862 files types, which is a unique feature.
Files encrypted by CryptMix will have a .code extension appended to them. Once the encryption process ends, the user will see a ransom note, which is quite similar to the ones used by CryptXXX and CryptoWall.
Here is what the ransom note looks like:
As visible from the note, CryptMix’s authors claim that they have used the RSA-2048 algorithm. An ID is also present, convincing the victim to send an email to the given email addresses – xoomx[@]dr.com and xoomx[@]usa.com.
Despite CryptMix authors’ promises to transfer some of the ransom money to a charity, paying the ransom is still not recommended. As of the ransom itself, it is quite a large one – 5 Bitcons, or approximately $2,200 in exchange for a decryption key.
Can I Remove CryptMix and Restore .code Files?
Unfortunately, a free decryption method hasn’t been established yet. If you have become a victim of the ransomware, closely follow the removal manual below. It also contains information about alternative file restoration methods using specific software. And remember that paying the ransom is never a good idea for two reasons:
- There’s no guarantee you will receive a decryption key as promised;
- By paying, you support cybercriminal activities and encourage future campaigns.
Manually delete CryptMix Ransomware from your Mac
Automatically remove CryptMix Ransomware from your Mac
When you are facing problems on your Mac as a result of unwanted scripts and programs such as CryptMix Ransomware, the recommended way of eliminating the threat is by using an anti-malware program. Combo Cleaner offers advanced security features along with other modules that will improve your Mac’s security and protect it in the future.