System CryptoMix Ransomware
The System CryptoMix Ransomware is a new variant of the CryptoMix Ransomware that is also known as CryptMix and CryptoShield Ransomware. The System CryptoMix Ransomware is very similar to the SERVER Cryptomix Ransomware not only in the name, but in functionality and code as well. Both threats belong to the same threat family and they are distributed to users via phishing emails primarily. With small exceptions, most attacks attributed to the System CryptoMix Ransomware involve macro-enabled Microsoft Office documents and executable that masquerade as PDFs. The System CryptoMix Ransomware is designed to run on all versions of Windows (Windows 7 and later) regardless of the underlying system architecture. The System CryptoMix Ransomware is programmed to encipher data with the following extensions:
.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.
The System CryptoMix Ransomware Trojan may use processes with random names to handle the encryption procedure. You may notice that what appears to be an Adobe Updater and Java application is hijacking a lot of processing power. The System CryptoMix Ransomware may take the names of legitimate applications to hide its activity before it removes itself from the infected host to prevent reverse-engineering attempts. Data affected by the System CryptoMix Ransomware might receive the '.WORK' extension and you will lose the Shadow Volume snapshots made by Windows. For example, 'Frank and Oak Workwear.mp4' might be renamed to 'Frank and Oak Workwear.mp4.WORK'. The ransom message is presented via Notepad, which loads '_HELP_INSTRUCTION.TXT' from your desktop. The file appears to be very different from the note used by CryptoMix in the past. The message displayed by the System CryptoMix Ransomware reads:
'Hello! Attention!
All Your data was encrypted!
for specific informanion.
please send us an email with Your ID number:
systempc1@keemail.me
systempc18x@protonmail.com
hashby@yandex.com
ashbyh@yandex.com
helen.a@inarne.com
Please send email to all email addresses!
We will help You as soon as possible!
IMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE!
IT MAY DAMAGE YOUR DATA FOREVER!'
As you can see above, the ransomware actors are using more than two email accounts for their campaign. The emails related to the System CryptoMix Ransomware include 'systempc1@keemail.me,' 'systempc18x@protonmail.com,' 'hashby@yandex.com' and 'ashbyh@yandex.com.' PC users that lack a backup service on their systems may want to incorporate one before they have to deal with cyber-threats like the System CryptoMix Ransomware. We don't recommend paying the ransom in any case because you can never trust the hackers who blocked your data in the first place. Also, sending money to their wallet address would allow them to "wash" it, and it is very hard to track digital coin transactions. It is best to clean the infected machines using a reputable anti-malware tool and make sure there are no vulnerable remote desktop accounts active on your system.
