New Cryptomix ransomware variant targets entire networks instead of individual computers
- Researchers have detected a new variant of the Cryptomix ransomware that appends the encrypted files with .clop or .ciop extension.
- This new variant is distributed via executables that have been code-signed with a digital signature.
What is the issue - Researchers from MalwareHunterTeam have detected a new variant of the Cryptomix ransomware that appends the encrypted files with .clop or .ciop extension.
Why it matters - This new variant targets entire networks rather than individual computers.
Worth noting - Researchers noted that the authors of this malware variant use different email addresses and extensions.
How does it work - Researchers stated that this new variant is distributed via executables that have been code-signed with a digital signature. This adds legitimacy to the executables.
A security researcher named Vitali Kremez noted that his variant will first stop numerous Windows services and processes such as Microsoft Exchange, Microsoft SQL Server, MySQL, and others, in order to disable antivirus software and it closes all the files so that they are ready for encryption.
BleepingComputer revealed that this variant will create a batch file named ‘clearnetworkdns_11-22-33.bat’ that will be executed soon after the ransomware is launched.
“This batch file will disable Windows's automatic startup repair, remove shadow volume copies, and then resize them in order to clear orphaned shadow volume copies,” BleepingComputer reported.
What does the ransom note say - This new variant creates a ransom note named ‘CIopReadMe.txt’.
“All files on each host in the networks have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F-8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. No DECRYPTION software is AVAILABLE in the public,” the ransom note read.
This ransom note also contains the email addresses to contact the attackers for payment instructions. The email addresses include unlock@eqaltech[.]su, unlock@royalmail[.]su, and kensgilbomet@protonmail[.]com.