Ransomware cases usually follow the same pattern of infection and behavior. However, a recently detected ransomware proves that ransomware authors can be creative, too. The so-called CryptMix ransomware is operated by a group of individuals calling themselves the Charity Team. The group claims that if the ransom is paid, some of it will go to a children’s charity organization.
|Short Description||The ransomware encrypts files with the RSA-2048 and appends a .code encryption.|
|Symptoms||Files are encrypted and become inaccessible. A ransom note with instructions for paying the ransom shows is displayed.|
|Distribution Method||Spam emails, drive-by downloads, exploit kits|
|Detection Tool|| See If Your System Has Been Affected by CryptMix Ransomware |
Malware Removal Tool
|User Experience||Join our forum to Find A Solution about CryptMix Ransomware.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Why “CryptMix” Ransomware?
The name derives from the ransomware’s analysis. Columbian researcher Nyxbone has said that the threat is a combination of ransomware families such as CryptoWall 3.0, CryptoWall 4.0 and CryptXXX, hence “CryptMix”.
CryptMix Ransomware Distribution Methods
Researchers report that the ransomware is downloaded to a victim’s machine via drive-by downloads, initiated on corrupted websites. The chain of infection begins with a spam email containing links to bad pages. If the user is lured into clicking on any of the links, he will be redirected to a page that hosts an exploit kit. The EK leverages security flaws in browser plugins.
To summarize, CryptMix uses the following methods to propagate itself:
- Spam emails;
- Corrupted links;
- Corrupted websites;
- Exploit kits;
- Browser vulnerabilities.
CryptMix Ransomware Technical Overview
Once CryptMix is installed on a system, the encryption process starts automatically. The ransomware targets and encrypts 862 files types, which is a unique feature.
Files encrypted by CryptMix will have a .code extension appended to them. Once the encryption process ends, the user will see a ransom note, which is quite similar to the ones used by CryptXXX and CryptoWall.
Here is what the ransom note looks like:
As visible from the note, CryptMix’s authors claim that they have used the RSA-2048 algorithm. An ID is also present, convincing the victim to send an email to the given email addresses – xoomx[@]dr.com and xoomx[@]usa.com.
Despite CryptMix authors’ promises to transfer some of the ransom money to a charity, paying the ransom is still not recommended. As of the ransom itself, it is quite a large one – 5 Bitcons, or approximately $2,200 in exchange for a decryption key.
Can I Remove CryptMix and Restore .code Files?
Unfortunately, a free decryption method hasn’t been established yet. If you have become a victim of the ransomware, closely follow the removal manual below. It also contains information about alternative file restoration methods using specific software. And remember that paying the ransom is never a good idea for two reasons:
- There’s no guarantee you will receive a decryption key as promised;
- By paying, you support cybercriminal activities and encourage future campaigns.
Manually delete CryptMix Ransomware from your computer
Note! Substantial notification about the CryptMix Ransomware threat: Manual removal of CryptMix Ransomware requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.