Ransomware depends on speed. Quick infections and tight payment timelines compel users to pay up or risk the loss of critical files, while rapid iteration lets malware-makers stay one step ahead of security experts.

As noted by Bleeping Computer, new strains of CryptoMix malware are now hitting networks within weeks of each other — a tactic previously used by Locky ransomware to confuse and confound users. Here’s a look at the newest crypto variants.

Extended Issues

According to the Bleeping Computer piece, two new variants of CryptoMix have appeared in recent weeks: NOOB and ZAKYA. The main difference? Their file extension, with NOOB appending a NOOB extension and ZAYKA appending ZAYKA.

The two also use different public RSA keys to encrypt AES keys and lock down user files, but both still point to the same address for payment. They also use a ransom note labeled as _HELP_INSTRUCTION.TXT, but the malware-makers have put in varying amounts of effort to communicate their demands.

In the NOOB version, this ransom note offers only basic information, saying, “Need back files?” It then provides the email addresses and a decrypt ID.

The ZAYKA variant, meanwhile, explains that victims must pay the ransom in bitcoins, suggests a way to buy those bitcoins and promises to decrypt three files for free as a show of good faith, so long as the files do not contain valuable information and total less than 1 MB in size. This version of CryptoMix makes it clear that time is running out, informing users that “the price depends on how fast you write to us” and warning that if no email is forthcoming within 36 hours, all decryption keys will be deleted, according to Bleeping Computer.

CryptoMix: Off and Running?

Other variants of CryptoMix have also emerged over the last few weeks. SC Magazine described the .EXTE version, which appends this extension and uses several email hosts to take payment. Bleeping Computer also reported on Azer, a variant of CryptoMix that leveraged a new ransom note file path and odd email addresses for users to pay up. But what really sets Azer apart is its ability to work offline.

Rather than using traceable network communication, this version embeds 10 different RSA-1024 public encryption keys and then selects one to encrypt the AES key, a significant step up from the single RSA-1024 key used by the recent Mole02 variant. Azer is notable here because it operates in a space typically considered safe from ransomware: offline.

While many CryptoMix versions aren’t exactly cutting edge, the fast pace of deployment helps give this malware an edge over other offerings. Just as security researches solve current issues, new variants emerge in the wild. Most are simply small modifications to existing encryption methods, but occasional diversions such as Azer make it tough for victims and experts alike to crack down on crypto code.