{
	"id": "cdc5f94a-a4cb-4388-b4dc-714a9303c24f",
	"created_at": "2026-04-06T00:22:37.418629Z",
	"updated_at": "2026-04-10T13:13:07.895917Z",
	"deleted_at": null,
	"sha1_hash": "217130b5add3063aa028be2710110efafc1ae24c",
	"title": "CryptoMix: Avast adds a new free decryption tool to its collection",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 220061,
	"plain_text": "CryptoMix: Avast adds a new free decryption tool to its collection\r\nBy Jakub Křoustek 21 Feb 2017\r\nArchived: 2026-04-05 20:57:07 UTC\r\nAvast now provides a decryption tool for ransomware CryptoMix (offline only)\r\nIn cooperation with researchers from CERT.PL, we are happy to announce the release of another decryptor tool,\r\nfor the ransomware,CryptoMix. CryptoMix has multiple aliases, including CryptFile2, Zeta, or the most recent\r\nalias CryptoShield.\r\nPlease note: a successful decryption is not always possible. See a description of the limitations below.\r\nCryptoMix is a ransomware strain that was first spotted in March 2016. In early 2017, its author(s) renamed\r\nCryptoMix to CryptoShield. The spread of this ransomware could be described as a medium level of prevalence\r\nand has been steady since its discovery. It uses exploit kits (RIG at the moment) as its main delivery method.\r\nOnce CryptoMix infects a machine, it tries to communicate with its Command and Control (C\u0026C)  server to\r\nestablish a key to encrypt  files (the AES-256 algorithm is used). However, if the server is not available or if there\r\nis a connection issue (e.g. blocked communication by a firewall), the ransomware will encrypt files with one of its\r\nfixed keys, or “offline key”.\r\nOur decryption tool for CryptoMix can decrypt files that were encrypted using the “offline key”. In cases where\r\nthe offline key was not used to encrypt files, our tool will be unable to restore the files and will not modify any\r\nfiles.\r\nYou can distinguish CryptoMix by its new file extensions added to the original file names: .CRYPTOSHIELD,\r\n.scl, .rscl, .lesli, .rdmk, .code, or .rmd. Furthermore, the ransom notes are located in files with the names\r\nHELP_DECRYPT_YOUR_FILES.HTML, # RESTORING FILES #.TXT, etc.\r\nhttps://blog.avast.com/cryptomix-avast-adds-a-new-free-decryption-tool-to-its-collection\r\nPage 1 of 4\n\nhttps://blog.avast.com/cryptomix-avast-adds-a-new-free-decryption-tool-to-its-collection\r\nPage 2 of 4\n\nCryptoMix is a nasty ransomware strain that has been spreading for a while. Its code quality is pretty low\r\ncompared to its competitors and it even contains flaws that may cause your files to become undecryptable. You\r\ncan easily find online complaints left by victims that paid the ridiculous amounts of extortion (5-10 bitcoins ~\r\n$5,000-$10,000) and that were left without decrypted files. This might be the reason why its authors are changing\r\nthe name so often - would you even consider paying someone with such a negative reputation?\r\nAs always we advise you to not pay the ransom! There’s always a chance that your files can be decrypted, for free,\r\nin future. The decryption tool released by us today, might be hope for at least some affected by CryptoMix.\r\nHow to protect yourself from ransomware\r\nMake sure you have antivirus, like Avast, installed on all of your devices. Antivirus will act like a safety\r\nnet and block ransomware before it can cause any damage, in case you accidentally try to download it.\r\nBe smart and alert. Ransomware distributors often use social engineering tactics to trick people into\r\ndownloading the ransomware. Be careful which links and attachments you open and what you download\r\non the web. Make sure you verify the source of emails including links and attachments and only download\r\nsoftware and visit trusted sites.\r\nBackup your data properly on a regular basis. Be sure to not keep your backups connected to your devices\r\nall the time, otherwise, your backups could be held ransom as well.\r\nIf you do become infected with ransomware, make sure to check out our free ransomware decryptor tools to see if\r\nwe can help you get your files back!\r\nAcknowledgment\r\nhttps://blog.avast.com/cryptomix-avast-adds-a-new-free-decryption-tool-to-its-collection\r\nPage 3 of 4\n\nWe would like to thank the researchers from CERT.PL for their detailed analysis of CryptoMix and for the set of\r\noffline keys they provided us, to supplement our list. Furthermore, a special thanks also goes to my colleague\r\nLadislav Zezula for preparing this decryptor.\r\nIOCs\r\n00b3ff8a88232c22e87555c511156c1d317b2aa23026fcfb11e201cc360ad05b\r\n05fe9891388d3e59d91b20f2ee22844533dc00ee409628a4f3c605035d24bad3\r\n085024acc25a30a32f948cffd72f3bbdb68858a41b2292125b438787306a7bc1\r\n0c31c8f8bc57d9f77a5c872c4afabba53596e61a5a738fb7c3f9b3248cdfee65\r\n10e37d164ece6d4cea25093a4f86b3254f4abd9bf19a93a277b21e6d6ebbc630\r\n1b04669a8d13ab06d0f23c8609260e7c8b50debac743c343f1c534683aa4ae77\r\n1e8ae4562cdc4d3fc9f2fe9d849b2c6c11e8d6f408d303c46785c668537749cc\r\n27cb3b60f4d55757918460afaeef33fbfc04f7426546252a11be8bcb55823de2\r\n2a6451715b2ada3535712450eb738d160807ea3e61d833092599e68532200e62\r\n2f62cc79686524ac992ffa99871a4d6e60f488cccd86df90e9a8cbb23b33a790\r\n30092f8f01c8d275c5f4a7cfa81b5e47e0d482dd3f4cfc107091e606fa48b43f\r\n60345157df00b5b36b8bad5ff0e5ffee0a73c6c4d639670052c566f0d7d7b4c5\r\n6751c308f39cc4e1a918136179c307c48b9066d343a2f1155e937f5bb2b70e25\r\n72eca63c67d055b17901517794f0a538a916ec5d75f4113edf5d238d805a7f81\r\n9198f1b53136a8229c18e4e5bc023b693a0276aed91b6e18dfe0ec8395ef8141\r\nd56fb2bdad7a50ab1f6ef76c67669452ed4da2bf865beafcf4956ab30bfa20fc\r\nda98d21ebd555c4b0e7c627dfce85bb62611779e0ef2eee42bd2f98c454f9e71\r\nfcf050b91c98c55dc3b2680b9d14699b53e78ff7d9a1dd9a9afc6bfb45376687\r\nSource: https://blog.avast.com/cryptomix-avast-adds-a-new-free-decryption-tool-to-its-collection\r\nhttps://blog.avast.com/cryptomix-avast-adds-a-new-free-decryption-tool-to-its-collection\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.avast.com/cryptomix-avast-adds-a-new-free-decryption-tool-to-its-collection"
	],
	"report_names": [
		"cryptomix-avast-adds-a-new-free-decryption-tool-to-its-collection"
	],
	"threat_actors": [],
	"ts_created_at": 1775434957,
	"ts_updated_at": 1775826787,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/217130b5add3063aa028be2710110efafc1ae24c.pdf",
		"text": "https://archive.orkl.eu/217130b5add3063aa028be2710110efafc1ae24c.txt",
		"img": "https://archive.orkl.eu/217130b5add3063aa028be2710110efafc1ae24c.jpg"
	}
}