July 24, 2017 By Douglas Bonderud 2 min read

Ransomware depends on speed. Quick infections and tight payment timelines compel users to pay up or risk the loss of critical files, while rapid iteration lets malware-makers stay one step ahead of security experts.

As noted by Bleeping Computer, new strains of CryptoMix malware are now hitting networks within weeks of each other — a tactic previously used by Locky ransomware to confuse and confound users. Here’s a look at the newest crypto variants.

Extended Issues

According to the Bleeping Computer piece, two new variants of CryptoMix have appeared in recent weeks: NOOB and ZAKYA. The main difference? Their file extension, with NOOB appending a NOOB extension and ZAYKA appending ZAYKA.

The two also use different public RSA keys to encrypt AES keys and lock down user files, but both still point to the same address for payment. They also use a ransom note labeled as _HELP_INSTRUCTION.TXT, but the malware-makers have put in varying amounts of effort to communicate their demands.

In the NOOB version, this ransom note offers only basic information, saying, “Need back files?” It then provides the email addresses and a decrypt ID.

The ZAYKA variant, meanwhile, explains that victims must pay the ransom in bitcoins, suggests a way to buy those bitcoins and promises to decrypt three files for free as a show of good faith, so long as the files do not contain valuable information and total less than 1 MB in size. This version of CryptoMix makes it clear that time is running out, informing users that “the price depends on how fast you write to us” and warning that if no email is forthcoming within 36 hours, all decryption keys will be deleted, according to Bleeping Computer.

CryptoMix: Off and Running?

Other variants of CryptoMix have also emerged over the last few weeks. SC Magazine described the .EXTE version, which appends this extension and uses several email hosts to take payment. Bleeping Computer also reported on Azer, a variant of CryptoMix that leveraged a new ransom note file path and odd email addresses for users to pay up. But what really sets Azer apart is its ability to work offline.

Rather than using traceable network communication, this version embeds 10 different RSA-1024 public encryption keys and then selects one to encrypt the AES key, a significant step up from the single RSA-1024 key used by the recent Mole02 variant. Azer is notable here because it operates in a space typically considered safe from ransomware: offline.

While many CryptoMix versions aren’t exactly cutting edge, the fast pace of deployment helps give this malware an edge over other offerings. Just as security researches solve current issues, new variants emerge in the wild. Most are simply small modifications to existing encryption methods, but occasional diversions such as Azer make it tough for victims and experts alike to crack down on crypto code.

More from

Change Healthcare discloses $22M ransomware payment

3 min read - UnitedHealth Group CEO Andrew Witty found himself answering questions in front of Congress on May 1 regarding the Change Healthcare ransomware attack that occurred in February. During the hearing, he admitted that his organization paid the attacker's ransomware request. It has been reported that the hacker organization BlackCat, also known as ALPHV, received a payment of $22 million via Bitcoin.Even though they made the ransomware payment, Witty shared that Change Healthcare did not get its data back. This is a…

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

How I got started: AI security researcher

4 min read - For the enterprise, there’s no escape from deploying AI in some form. Careers focused on AI are proliferating, but one you may not be familiar with is AI security researcher. These AI specialists are cybersecurity professionals who focus on the unique vulnerabilities and threats that arise from the use of AI and machine learning (ML) systems. Their responsibilities vary, but key roles include identifying and analyzing potential security flaws in AI models and developing and testing methods malicious actors could…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today