A new variant of the CryptoMix ransomware is being distributed via the RIG exploit kit (EK), security researchers have discovered.
The distribution of CryptoMix was previously associated with RIG, which has been used to drop other ransomware families, including Cerber. In the past, the threat was also associated with the activity of one of the long-standing infection chains out there, namely EITest, and the new distribution campaign features it as well.
EITest, which has been distributing malware such as the Spora ransomware, Gootkit information stealer, and the Chthonic and Ursnif banking Trojans, among others, has seen some changes since October 2016, when it stopped using a gate between the compromised website and the EK landing page, and no longer employed obfuscation for the scripts injected on legitimate sites.
The campaign makes use of two variants of the RIG exploit kit, namely RIG-E (or Empire Pack) and Rig-V (an improved, “VIP” version of the EK), and was most recently associated with a malware distribution campaign specifically targeting users of the Chrome browser on Windows computers.
As mentioned above, CryptoMix (also known as CryptFile2), has been distributed through EITest and RIG before, and the only thing that changed in this regard recently is the ransomware variant, which BleepingComputer refers to as CryptoShield 1.0.
Similar to other EITest attacks, as soon as a victim accesses a compromised site, the injected code redirects them to the RIG EK’s landing page. The exploit kit then attempts to leverage vulnerable software on the potential victim’s machine and, if successful, installs the newly discovered ransomware variant.
Once installed on the compromised computer, the malware generates a unique ID for the machine, along with an encryption key, both of which are then uploaded to the command and control (C&C) server. Next, the malware starts scanning the computer for targeted files, and then proceeds to encrypt them. The ransomware targets over 400 file extensions.
The new CryptoMix variant encrypts every file using AES-256 encryption, while also encrypting the filename using ROT-13, and appending the .CRYPTOSHIELD extension to it. The malware creates ransom notes in each of the folders where encrypted files are located, while also attempting to disable the Windows startup recovery and to delete the Windows Shadow Volume Copies, so as to prevent users from recovering their data.
Next, the malware displays a fake alert informing the user that Exporer.exe has encountered a problem. Only an “OK” button is available on the window, and, when the user clicks it, a User Account Control prompt is displayed, requesting permission to execute a process. If the user agrees, the ransomware displays a note informing them on the infection and how they can pay the ransom to recover the files.
The note refers to the ransomware as CryptoShield 1.0 and provides victims with three email addresses they can contact to kick off the ransom payment and file recovery process. The ransom note is essentially unchanged from what CryptoMix was dropping last year, except for the new malware name and the use of different email addresses in the newly spotted campaign.