July 24, 2017 By Douglas Bonderud 2 min read

Ransomware depends on speed. Quick infections and tight payment timelines compel users to pay up or risk the loss of critical files, while rapid iteration lets malware-makers stay one step ahead of security experts.

As noted by Bleeping Computer, new strains of CryptoMix malware are now hitting networks within weeks of each other — a tactic previously used by Locky ransomware to confuse and confound users. Here’s a look at the newest crypto variants.

Extended Issues

According to the Bleeping Computer piece, two new variants of CryptoMix have appeared in recent weeks: NOOB and ZAKYA. The main difference? Their file extension, with NOOB appending a NOOB extension and ZAYKA appending ZAYKA.

The two also use different public RSA keys to encrypt AES keys and lock down user files, but both still point to the same address for payment. They also use a ransom note labeled as _HELP_INSTRUCTION.TXT, but the malware-makers have put in varying amounts of effort to communicate their demands.

In the NOOB version, this ransom note offers only basic information, saying, “Need back files?” It then provides the email addresses and a decrypt ID.

The ZAYKA variant, meanwhile, explains that victims must pay the ransom in bitcoins, suggests a way to buy those bitcoins and promises to decrypt three files for free as a show of good faith, so long as the files do not contain valuable information and total less than 1 MB in size. This version of CryptoMix makes it clear that time is running out, informing users that “the price depends on how fast you write to us” and warning that if no email is forthcoming within 36 hours, all decryption keys will be deleted, according to Bleeping Computer.

CryptoMix: Off and Running?

Other variants of CryptoMix have also emerged over the last few weeks. SC Magazine described the .EXTE version, which appends this extension and uses several email hosts to take payment. Bleeping Computer also reported on Azer, a variant of CryptoMix that leveraged a new ransom note file path and odd email addresses for users to pay up. But what really sets Azer apart is its ability to work offline.

Rather than using traceable network communication, this version embeds 10 different RSA-1024 public encryption keys and then selects one to encrypt the AES key, a significant step up from the single RSA-1024 key used by the recent Mole02 variant. Azer is notable here because it operates in a space typically considered safe from ransomware: offline.

While many CryptoMix versions aren’t exactly cutting edge, the fast pace of deployment helps give this malware an edge over other offerings. Just as security researches solve current issues, new variants emerge in the wild. Most are simply small modifications to existing encryption methods, but occasional diversions such as Azer make it tough for victims and experts alike to crack down on crypto code.

More from

DHS awards significant grant to improve tribal cybersecurity

4 min read - The Department of Homeland Security (DHS) has awarded $18.2 million in grants through the Tribal Cybersecurity Grant Program to boost cybersecurity defenses among Native American Indian Tribes. The program takes a big step in addressing the unique digital threats faced by tribal communities — a dedicated effort to improve cybersecurity infrastructure across these regions. The $18.2 million grant is just one component of DHS's broader strategy to enhance national cybersecurity. Administered by the Federal Emergency Management Agency (FEMA) in partnership…

ChatGPT 4 can exploit 87% of one-day vulnerabilities: Is it really that impressive?

2 min read - After reading about the recent cybersecurity research by Richard Fang, Rohan Bindu, Akul Gupta and Daniel Kang, I had questions. While initially impressed that ChatGPT 4 can exploit the vast majority of one-day vulnerabilities, I started thinking about what the results really mean in the grand scheme of cybersecurity. Most importantly, I wondered how a human cybersecurity professional’s results for the same tasks would compare.To get some answers, I talked with Shanchieh Yang, Director of Research at the Rochester Institute…

ONCD releases request for information: Open-source software security

3 min read - Open-source software is a collective partnership across the development community that requires both private and public buy-in. However, securing open-source software can be tricky. With so many different people working on the coding, security measures are often overlooked, increasing the chances that a vulnerability will fall through the cracks and be exploited. The Open-Source Software Security Initiative (OS31) aims to provide governance over open-source security processes. After the Log4Shell vulnerability, securing open-source software became a top priority for the federal…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today