# "Proof of Concept" CryptoWire Ransomware Spawns Lomix and UltraLocker Families **bleepingcomputer.com/news/security/-proof-of-concept-cryptowire-ransomware-spawns-lomix-and-ultralocker-** families/ Catalin Cimpanu By [Catalin Cimpanu](https://www.bleepingcomputer.com/author/catalin-cimpanu/) December 9, 2016 02:31 PM 5 A new open-source ransomware project uploaded on GitHub as a "proof of concept," has now spawned three new ransomware families that are infecting users in real-life. ----- The original CryptoWire project was uploaded to GitHub by an anonymous user this past May. The project, still available for download, contains a ZIP archive, with the ransomware's source code, and a README file advertising CryptoWire's capabilities. Contents of the CryptoWire package According to its author, the ransomware is written in the AutoIt scripting language and locks files stored on network drives, network shares, USB drives, external disks, internal disks, and cloud storage apps running on the machine such as Onedrive, Dropbox, Google Drive, and Steam. CryptoWire uses the AES-256 algorithm for the encryption operations, which will encrypt all files smaller than 30MB (adjustable limit). The README file might have been outdated, as the ransomware's source code included file extension filters (pictured below). ----- The README claims the encryption process makes a copy of the targeted files, encrypts the copy, overwrites the original file ten times, and then permanently deletes its. After the encryption process ends, CryptoWire will delete all shadow volume copies, and overwrite the content of the RecycleBin ten times and permanently delete it. When displaying the ransom note, CryptoWire will check if the infected target is part of a domain and multiply the ransom demand by 10 (adjustable value). CryptoWire's author said it shipped the ransomware without a backend panel "to prevent skids from abusing it." Unfortunately, skids abused it. ## Real-life CryptoWire spawns The first CryptoWire spawn was detected at the end of October by GData malware analyst [Karsten Hahn, using the same name: CryptoWire.](https://twitter.com/struppigel) This version appears to have been under development, as one crucial button for the decryption process was missing from its interface. ----- CryptoWire variant, October 2016 [A month later, security researcher S!Ri discovered the Lomix ransomware, pictured below.](https://twitter.com/siri_urz) ----- Lomix ransomware, November 2016 Today, the same Karsten Hahn has come across another CryptoWire variant that goes by the name of UltraLocker and spreads a spam campaign delivering malicious Word files. ----- UltraLocker ransomware, December 2016 The problem of open-source and so-called "educational" ransomware has been discussed in the past numerous times. Previous open-source ransomware families included Hidden Tear, EDA2, [CryptoTrooper, and](http://news.softpedia.com/news/new-open-source-linux-ransomware-shows-infosec-community-divide-508669.shtml) [Heimdall.](https://www.bleepingcomputer.com/news/security/heimdall-open-source-php-ransomware-targets-web-servers/) In all cases, the authors of these projects have hidden from any responsibility and damage their code would have caused just by using words as "educational" and "proof of concept," not realizing that real-life malware coders don't care. Most crooks look at open-source ransomware as free work, and hours of work they don't have to put in designing, documenting, and writing their own code. How about we stop giving crooks a helping hand, shall we? ### Related Articles: [BlackCat/ALPHV ransomware asks $5 million to unlock Austrian state](https://www.bleepingcomputer.com/news/security/blackcat-alphv-ransomware-asks-5-million-to-unlock-austrian-state/) [Windows 11 KB5014019 breaks Trend Micro ransomware protection](https://www.bleepingcomputer.com/news/security/windows-11-kb5014019-breaks-trend-micro-ransomware-protection/) ----- [Industrial Spy data extortion market gets into the ransomware game](https://www.bleepingcomputer.com/news/security/industrial-spy-data-extortion-market-gets-into-the-ransomware-game/) [New ‘Cheers’ Linux ransomware targets VMware ESXi servers](https://www.bleepingcomputer.com/news/security/new-cheers-linux-ransomware-targets-vmware-esxi-servers/) [Hacker says hijacking libraries, stealing AWS keys was ethical research](https://www.bleepingcomputer.com/news/security/hacker-says-hijacking-libraries-stealing-aws-keys-was-ethical-research/) [CryptoWire](https://www.bleepingcomputer.com/tag/cryptowire/) [Lomix](https://www.bleepingcomputer.com/tag/lomix/) [Open Source](https://www.bleepingcomputer.com/tag/open-source/) [Ransomware](https://www.bleepingcomputer.com/tag/ransomware/) [UltraLocker](https://www.bleepingcomputer.com/tag/ultralocker/) [Catalin Cimpanu](https://www.bleepingcomputer.com/author/catalin-cimpanu/) Catalin Cimpanu is the Security News Editor for Bleeping Computer, where he covers topics such as malware, breaches, vulnerabilities, exploits, hacking news, the Dark Web, and a few more. Catalin previously covered Web & Security news for Softpedia between May 2015 and October 2016. The easiest way to reach Catalin is via his XMPP/Jabber address at campuscodi@xmpp.is. For other contact methods, please visit Catalin's author page. [Previous Article](https://www.bleepingcomputer.com/news/security/new-exo-android-trojan-sold-on-hacking-forums-dark-web/) [Next Article](https://www.bleepingcomputer.com/news/software/chrome-56-to-show-warnings-on-http-pages-with-payment-and-password-forms/) ### Comments ----- [Uselesslight - 5 years ago](https://www.bleepingcomputer.com/forums/u/876055/uselesslight/) Or alternatively Catalin, why don't we not stop "helping" crooks? I see the points you're making, and they are concise and accurate, but on the other hand: Do you not feel that the masses need education, on all topics? Understandable that so-called crooks are going to try and repurpose these types of software, why would they not? However, this is a byproduct of education, we have schools that teach people about bombs, why do they not get told to stop helping the crooks? People can utilize this knowledge for very good purposes, like all things. I strongly feel that these open source ransomware's popping up periodically could turn out being more beneficial, if more people familiarize themselves with the concepts, two things could potentially happen. 1) People are going to garnish more awareness on security issues such as these and having a working proof-of-concept will make it easier to educate people who are misinformed. 2) More knowledge of ransomware in general is made possible by this. Would it not be great, if encryption as it is became a common understanding and the issues like ransomware would go away? Think of the possibilities if everyone was capable of decrypting their files following a ransomware infection? Also, the socalled crooks utilizing open-source software, are DEFINITELY not the ones that are going to be causing serious damages... Of course though, I do see your point on the matter, but this is just another take on that. ----- [Struppigel - 5 years ago](https://www.bleepingcomputer.com/forums/u/976061/struppigel/) "Also, the so-called crooks utilizing open-source software, are DEFINITELY not the ones that are going to be causing serious damages..." Have you ever had a look at the forums for the help request to all the HiddenTear/EDA2 variants? They are causing major damage to people and organizations. Me and some of my colleagues have written articles about that matter, because it is discussed a lot lately. If you are interested in our reasoning, you might want to read that: https://blog.gdatasoftware.com/2016/11/29289-it-s-educational-on-the-no-1argument-for-open-source-ransomware [Uselesslight - 5 years ago](https://www.bleepingcomputer.com/forums/u/876055/uselesslight/) Certainly I will have a read through your publication. Don't get me wrong, I'm not trying to say "my way or the highway". I just see the value in learning this kind of stuff. ----- [Amigo-A - 5 years ago](https://www.bleepingcomputer.com/forums/u/998576/amigo-a/) HiddenTear/EDA2 or CryptoWire... It's like, what produce grenades, bombs and deadly weapons, and then cry out for mercy. If you made a bombshell, If put it in the wrong hands - it will fly and explode, what to cause injury and death. [Uselesslight - 5 years ago](https://www.bleepingcomputer.com/forums/u/876055/uselesslight/) That is kind of my point Amigo-A, everything that has ever been created, ever has the potential of being misused. It's going to exist one or another though, there is nothing we can do, at this point the lesser of two evils is to embrace it and learn as much as we can. The only hope we have against ransomware it seems is education now. Post a Comment [Community Rules](https://www.bleepingcomputer.com/posting-guidelines/) You need to login in order to post a comment [Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register) ### You may also like: -----