A version of the CryptoMix ransomware is going out through the RIG exploit kit, researchers said.
The new CryptoMix variant, discovered by ProofPoint security researcher Kafeine, encrypts every file using AES-256 encryption, while also encrypting the filename using ROT-13, and appending the .CRYPTOSHIELD extension to it.
The malware creates ransom notes in each of the folders housing encrypted files, while also attempting to disable the Windows startup recovery and to delete the Windows Shadow Volume Copies to prevent users from recovering their data.
The malware then shows a fake alert informing the user Exporer.exe has encountered a problem. Only an “OK” button is available on the window, and, when the user clicks it, a User Account Control prompt displays, requesting permission to execute a process.
If the user agrees, the ransomware displays a note informing them of the infection and how they can pay the ransom to recover the files.
The note refers to the ransomware as CryptoShield 1.0 and provides victims with three email addresses they can contact to kick off the ransom payment and file recovery process. The ransom note is essentially unchanged from what CryptoMix issued last year, except for the new malware name and the use of different email addresses in the newly spotted campaign, said Webroot researchers.