New Variant Of CryptoMix Ransomware

A new variant of CryptoMix ransomware, also known as CryptoShield, has been discovered. The current method of distribution is unknown. The ransomware is hard-coded with several public keys which are used for offline encryption. Once a file has been encrypted, the filename is modified and appended with. ERROR.

CryptoMix is able to delete shadow copies and attempts to stop a number of services using the Windows command-line tool ‘sc’. It also persists across reboots by creating an entry in the registry.

The services which are stopped include:

  • Microsoft Security Center
  • Windows Defender
  • Windows Update
  • Background Intelligent Transfer Service (BITS)
  • Microsoft Error Reporting Service

To stop these services, the user account they are being run from must have sufficient privileges to perform these actions.

Affected Platforms:

Microsoft Windows – all versions

Resolution:

Users are running with an appropriate level of privileges.

Regular backups are kept and stored away from the network.

Cyber-awareness training is kept up-to-date.




Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: