{ "id": "6d2be587-cac2-4741-93f0-a12082473b5f", "created_at": "2026-04-06T00:14:20.860944Z", "updated_at": "2026-04-10T13:13:07.281418Z", "deleted_at": null, "sha1_hash": "fb43c6101a59dda1cf18b91fc1a5ed9065d58c7f", "title": "\"Proof of Concept\" CryptoWire Ransomware Spawns Lomix and UltraLocker Families", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 895994, "plain_text": "\"Proof of Concept\" CryptoWire Ransomware Spawns Lomix and\r\nUltraLocker Families\r\nBy Catalin Cimpanu\r\nPublished: 2016-12-09 ยท Archived: 2026-04-05 19:08:42 UTC\r\nA new open-source ransomware project uploaded on GitHub as a \"proof of concept,\" has now spawned three new\r\nransomware families that are infecting users in real-life.\r\nThe original CryptoWire project was uploaded to GitHub by an anonymous user this past May.\r\nThe project, still available for download, contains a ZIP archive, with the ransomware's source code, and a README file\r\nadvertising CryptoWire's capabilities.\r\nContents of the CryptoWire package\r\nAccording to its author, the ransomware is written in the AutoIt scripting language and locks files stored on network drives,\r\nnetwork shares, USB drives, external disks, internal disks, and cloud storage apps running on the machine such as Onedrive,\r\nDropbox, Google Drive, and Steam.\r\nhttps://www.bleepingcomputer.com/news/security/-proof-of-concept-cryptowire-ransomware-spawns-lomix-and-ultralocker-families/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/-proof-of-concept-cryptowire-ransomware-spawns-lomix-and-ultralocker-families/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nCryptoWire uses the AES-256 algorithm for the encryption operations, which will encrypt all files smaller than 30MB\r\n(adjustable limit). The README file might have been outdated, as the ransomware's source code included file extension\r\nfilters (pictured below).\r\nThe README claims the encryption process makes a copy of the targeted files, encrypts the copy, overwrites the original\r\nfile ten times, and then permanently deletes its.\r\nAfter the encryption process ends, CryptoWire will delete all shadow volume copies, and overwrite the content of the\r\nRecycleBin ten times and permanently delete it.\r\nWhen displaying the ransom note, CryptoWire will check if the infected target is part of a domain and multiply the ransom\r\ndemand by 10 (adjustable value).\r\nCryptoWire's author said it shipped the ransomware without a backend panel \"to prevent skids from abusing it.\"\r\nUnfortunately, skids abused it.\r\nReal-life CryptoWire spawns\r\nThe first CryptoWire spawn was detected at the end of October by GData malware analyst Karsten Hahn, using the same\r\nname: CryptoWire.\r\nThis version appears to have been under development, as one crucial button for the decryption process was missing from its\r\ninterface.\r\nhttps://www.bleepingcomputer.com/news/security/-proof-of-concept-cryptowire-ransomware-spawns-lomix-and-ultralocker-families/\r\nPage 3 of 6\n\nCryptoWire variant, October 2016\r\nA month later, security researcher S!Ri discovered the Lomix ransomware, pictured below.\r\nLomix ransomware, November 2016\r\nhttps://www.bleepingcomputer.com/news/security/-proof-of-concept-cryptowire-ransomware-spawns-lomix-and-ultralocker-families/\r\nPage 4 of 6\n\nToday, the same Karsten Hahn has come across another CryptoWire variant that goes by the name of UltraLocker and\r\nspreads a spam campaign delivering malicious Word files.\r\nUltraLocker ransomware, December 2016\r\nThe problem of open-source and so-called \"educational\" ransomware has been discussed in the past numerous times.\r\nPrevious open-source ransomware families included Hidden Tear, EDA2, CryptoTrooper, and Heimdall.\r\nIn all cases, the authors of these projects have hidden from any responsibility and damage their code would have caused just\r\nby using words as \"educational\" and \"proof of concept,\" not realizing that real-life malware coders don't care.\r\nMost crooks look at open-source ransomware as free work, and hours of work they don't have to put in designing,\r\ndocumenting, and writing their own code. How about we stop giving crooks a helping hand, shall we?\r\nhttps://www.bleepingcomputer.com/news/security/-proof-of-concept-cryptowire-ransomware-spawns-lomix-and-ultralocker-families/\r\nPage 5 of 6\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/-proof-of-concept-cryptowire-ransomware-spawns-lomix-and-ultralocker-families/\r\nhttps://www.bleepingcomputer.com/news/security/-proof-of-concept-cryptowire-ransomware-spawns-lomix-and-ultralocker-families/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/-proof-of-concept-cryptowire-ransomware-spawns-lomix-and-ultralocker-families/" ], "report_names": [ "-proof-of-concept-cryptowire-ransomware-spawns-lomix-and-ultralocker-families" ], "threat_actors": [], "ts_created_at": 1775434460, "ts_updated_at": 1775826787, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fb43c6101a59dda1cf18b91fc1a5ed9065d58c7f.pdf", "text": "https://archive.orkl.eu/fb43c6101a59dda1cf18b91fc1a5ed9065d58c7f.txt", "img": "https://archive.orkl.eu/fb43c6101a59dda1cf18b91fc1a5ed9065d58c7f.jpg" } }