A new variant of CryptoMix ransomware, also known as CryptoShield, has been discovered. The current method of distribution is unknown. The ransomware is hard-coded with several public keys which are used for offline encryption. Once a file has been encrypted, the filename is modified and appended with. ERROR.
CryptoMix is able to delete shadow copies and attempts to stop a number of services using the Windows command-line tool ‘sc’. It also persists across reboots by creating an entry in the registry.
The services which are stopped include:
- Microsoft Security Center
- Windows Defender
- Windows Update
- Background Intelligent Transfer Service (BITS)
- Microsoft Error Reporting Service
To stop these services, the user account they are being run from must have sufficient privileges to perform these actions.
Microsoft Windows – all versions
Users are running with an appropriate level of privileges.
Regular backups are kept and stored away from the network.
Cyber-awareness training is kept up-to-date.
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.