Cybercriminals became surprisingly noble and caring in their new approaches to take money from their victims. A new and unusual ransomware mashup named CryptMix was detected recently by security researchers. This new malware is a mixture of the famous CryptXXX, CryptoWall 3.0 and CryptoWall 4.0 ransomware threats that have been floating around the web for quite a time.
The new CryptMix is created and spread by a group of cheaters calling themselves “The Charity Team”. They are using a new manipulative technique in an attempt to encourage users who were infected with the CryptMix ransomware to pay the ransom. In the ransomware note, they are promising to give some of the money away as a charity to a children’s organization. How far their caring nobility could reach, huh?
Security researchers detected this ransomware just a week ago, but some samples of the same strain have been noticed almost a month ago. The new CryptMix infections are distributed mostly through drive-by downloads on malicious websites. Other infection methods are spam emails and links to suspicious websites. Users, who land on such compromised web pages are usually targeted with some exploit kits, plugins or browser extensions, through which the ransomware sneaks in their respective systems.
CryptMix acts just like any other ransomware and automatically starts to encrypt the victim’s files as soon as it gets installed on the PC. However, what is unique about this malware is, that it starts to encrypt a whopping 862 different file types. Victims can recognize they are infected with this ransomware by the .code file extension that is added at the end of every encrypted file. When all the files are locked and the encryption process is over, a ransom note appears on the victims screen.
The note informs the users their files have been locked with an RSA-2048 algorithm. Then, they are asked to contact the given email addresses if they want to unlock their files. The cybercriminals behind the CryptMix then reply to the victims’ email and send them a link and a password to a secret website that enables users to share password-protected messages.
This secret web page displays the real message from the CryptMix creators, which asks the victims to pay 5 Bitcoins in exchange for the decryption key. 5 Bitcoins is approximate $ 2 200, which is quite a large amount of a ransom, compared to other recent ransom demands.
Feel good about paying the ransom…
In order to “motivate” victims to dig deep in their pockets for such a large amount and actually make them pay, the attackers use two techniques. At first, to make victims feel good about paying, they try to act noble and caring and say that part of the ransom would go to a children’s charity. On the other side, to put some pressure, they threaten that if the ransom is not paid right away, the amount will double in the next 24 hours. The tip of the ice cream of that “sweet” message is that attackers even promise three years of “Free tech support”. It is surprising how “helpful” and “caring” the cybercriminals have become nowadays.