{"id":19417,"date":"2016-07-22T10:08:02","date_gmt":"2016-07-22T16:08:02","guid":{"rendered":"https://www.webroot.com/blog/?p=19417"},"modified":"2018-01-30T11:56:51","modified_gmt":"2018-01-30T18:56:51","slug":"about-cryptomix-ransomware","status":"publish","type":"post","link":"https://www.webroot.com/blog/2016\/07\/22\/about-cryptomix-ransomware\/","title":{"rendered":"CryptoMix Ransomware: What You Should Know"},"content":{"rendered":"

CrytpoMix has been gaining\u00a0some traction over the past few months, so\u00a0it’s a good idea that we provide a rundown of this variant in\u00a0the ransomware family.<\/p>\n

This is ‘barebones ransomware’, so victims aren’t presented with a GUI or a desktop background change. All that is presented is a text file and webpage showing the same text.<\/p>\n

\"notepad\"<\/a><\/p>\n

This is one of the FEW ransomware variant that doesn’t have some payment portal in the darknet. There is no need to download any tor browser, as they don’t provide any onion links.<\/p>\n

\"email<\/a><\/p>\n

With this variant, victims literally have to email and wait around 12 hours for a response and\u00a0those responses are encrypted and password protected (to protect the bitcoin wallet address the cybercriminals\u00a0want payment to be made to).<\/p>\n

Example response:<\/p>\n

\"email<\/a><\/p>\n

While CryptoMix isn’t fancy, it’s price sure is. 5 BTC (Bitcoin) is an insane amount of money (>$3000), and it wasn’t a few months ago that ransom increases to $700 were all the rage. Also, these criminals even claim that you’ll receive free tech support and all your ransom money goes to a child charity. Please do not be fooled.<\/p>\n

Registry Entries added<\/p>\n

\u00bb HKLM\\Software\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced RSA and AES Cryptographic Provider
\n\u00bb HKLM\\Software\\Microsoft\\Cryptography\\DESHashSessionKeyBackward
\n\u00bb HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Adobe Reader UpdateSoftWare
\n\u00bb HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*Adobe Reader Update32
\n\u00bb HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\AdobeFlashPlayerSoftWare
\n\u00bb HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*AdobeFlashPlayers32
\n\u00bb HKCU\\Software\\Adobe Reader LicensionSoftWare\\AdobeFirstVersionSoftWare
\n\u00bb HKCU\\Software\\Adobe Reader LicensionSoftWare\\AdobeLicensionSoftWare<\/p>\n

MD5 hashes analyzed\u00a0:<\/p>\n

b778bda5b97228c6e362c9c4ae004a19<\/p>\n

a0fed8de59e6f6ce77da7788faef5489<\/p>\n

Webroot will catch this specific ransomware\u00a0in real time before any encryption takes place. We\u2019re always on the lookout for more types of threats, but just in case of new zero-day variants, remember that with encrypting ransomware, the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Keeping it up to date is key so as not to lose productivity. Webroot has backup features built into our consumer product that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero-day variant of encrypting ransomware, you can just restore your files back as we save a snapshot history for each of your files (up to ten previous copies). Please see our community post<\/a> on best practices for securing your environment against encrypting ransomware.<\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

CrytpoMix has been gaining\u00a0some traction over the past few months, so\u00a0it’s a good idea that we provide a rundown of this variant in\u00a0the ransomware family. This is ‘barebones ransomware’, so victims aren’t presented with a GUI or a desktop background change. All that is presented is a text file and webpage showing the same text. […]<\/p>\n","protected":false},"author":21,"featured_media":18469,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[14215,5443,5435,19845,19839,4197,4149,8223,19843,19841,5423,3937,6987,19145,4269,3471,5439,3989,3525,5449],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/19417"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/21"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=19417"}],"version-history":[{"count":5,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/19417\/revisions"}],"predecessor-version":[{"id":19461,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/19417\/revisions\/19461"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/18469"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=19417"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=19417"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=19417"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=19417"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}