New CryptMix Ransomware Promises to Give Money to a Children’s Charity

CryptMix is a mashup of CryptXXX and CryptoWall. A new type of ransomware created and distributed by a group of crooks calling themselves the Charity Team is trying to encourage users to pay the ransom note by promising to give some of the money to a children’s charity organization.

Researchers from Heimdal Security claim the ransomware first appeared last week, but MalwareHunterTeam has told Softpedia that samples of the same ransomware were seen starting more than a month ago.

Columbian security researcher Nyxbone took a closer look at the ransomware three days ago and said that this threat is a combination of other ransomware families, such as CryptoWall 3.0, CryptoWall 4.0 and the more recent CryptXXX. Hence, the researcher appropriately named the ransomware CryptMix.

CryptMix infections occur via drive-by downloads on malicious sites

Infection occurs via spam email, which contains links to malicious websites. Users who access these websites are targeted with exploit kits that leverage vulnerabilities in the users’ browsers and their plugins to install CryptMix.

Once the ransomware reaches a victim’s PC, it automatically starts the encryption process. The ransomware is unique because it searches and starts to encrypt a whopping 862 different file types. You can recognize CryptMix infections by the .code file extension that they add at the end of each encrypted file.

After the encryption process ends, the ransomware adds ransom notes on the infected PC. Nyxbone says CryptMix borrows the HTML ransom note from CryptXXX and the text-based ransom note from CryptoWall.

CryptMix HTML ransom note

The ransom note tells the user their files were locked with an RSA-2048 algorithm, gives them an ID, and urges them to send an email to one of two email addresses (xoomx[@] and xoomx[@] so that they recover their files.

The crooks answer the victim’s email and provide them with a link and a password to the One Time Secret service, a website that lets users share password-protected messages.

Crooks are asking for quite a large sum of money

This page contains the actual message from the CryptMix author, which tells the victim that they have to pay 5 Bitcoin (~$2,200) to recover their files.

Compared to what other ransomware families ask for, 5 Bitcoin is an excessive amount. Nonetheless, the CryptMix author is not a novice because he uses two tricks to “convince” users to pay.

First, he tries to sweet-talk the user by saying that some of the ransom money will go to a children’s charity, and then he threatens the user that the ransom sum will double in the next 24 hours if they don’t pay right away.

The cherry on top is that, somewhere in this message, the crook also promises three years of “FREE tech support,” as if any sane person ever accepted tech support from a ransomware creator.

Below you can read the message sent via One Time Secret links. Currently, there’s no known method for decrypting files locked with CryptMix.