CryptFile2

CryptFile2 targets Windows OS and is distributed via the Nuclear and Neutrino exploit kits. More recently, it has been spread via large-scale email campaigns designed to primarily target U.S. government agencies and educational institutions. The subject of these emails promise discounted flights from American Airlines and, within the body of the emails, there are embedded URLs leading to downloadable Microsoft Word documents containing malicious macros. If these macros are enabled by the recipient, the ransomware payload downloads and executes on the system. CryptFile2 contacts its C2 server and requests a file named default.jpg and then encrypts targeted files, appending a combination of a unique victim ID number and the attacker’s email address to the encrypted file names in the following format: .id_[personalid]_[attackeremail].scl. The ransom payment demand for CryptFile2 is currently unknown.

UPDATE 1/4/2017: CryptFile2 has recently been rebranded as CryptoMix.

UPDATE 1/23/2017: A new version of CryptFile2, also known as CryptoMix, appends .rdmk to encrypted file names and drops a ransom note named INSTRUCTION RESTORE FILE.txt.

UPDATE 3/15/2017: A new version, dubbed Revenge, is being distributed via the RIG exploit kit. It displays a fake alert, uses AES-256 encryption, and appends .REVENGE to encrypted file names. It also drops a ransom note named # !!!HELP_FILE!!! #.txt. Current email addresses used by the hackers behind this campaign include rev00@india.com, revenve00@writeme.com, and rev_reserv@india.com. There is currently no free tool available to decrypt this version.

UPDATE 4/13/2017: A new version, dubbed Mole, is distributed via spam emails masquerading as shipping notifications. The subject line of the emails suggests that there is a problem delivering the recipient's package in an attempt to convince the recipient to click on the malicious link included within the body of the email. The link actually points to a fake Microsoft Word Online website that displays text suggesting a document cannot be viewed and that a plugin needs to be installed by the end-user in order to continue. If the download button is clicked, one of two files will be downloaded: plugin-office.exe or pluginoffice.exe. If either of these files are opened, Mole will begin the installation process. It will display a UAC prompt to the user to request administrative privileges. If granted, Mole establishes communication with its C2 server and sends the unique victim ID back to the attacker and receives a RSA-1024 public encryption key used to encrypt the AES encryption key that is used to encrypt the victim's files. Mole stops various services on the system, including Windows Defender, Windows Update, and Windows Error Reporting, disables Windows startup recovery, and deletes the Shadow Volume Copies. Files encrypted by Mole display the following naming convention: [32_hex_chars].MOLE - i.e., 4E47636C1F31519446A78F711F4A1670.MOLE. It also drops a ransom note named INSTRUCTION_FOR_HELPING_FILE_RECOVERY.TXT. Currently, there is no free tool available to decrypt this version.

5/1/2017: A new version, dubbed Wallet Ransomware by Bleeping Computer, uses the following naming convention for encrypted files: .[EMAIL_ADDRESS].ID[VICTIM._16_CHAR_ID].WALLET. It also drops a ransom note named #_RESTORING_FILES_#.TXT. Current email addresses associated with this campaign include shieldo@usa.com, admin@hoist.desi, and crysis@life.com. There are currently no free decryption tools available for this version and the distribution method is unknown.

6/20/2017: A new version of Mole has been impacting victims across the globe, with one reported case to date in New Jersey. Analysis suggests that this ransomware campaign uses malicious advertising, or malvertising, that redirects victims to the Stegano/Astrum exploit kit to deliver the payload. It appends .mole02 to the names of encrypted files and drops a ransom note named _HELP_INSTRUCTION. Executable files associated with this version include mopslb.tmp and ldmso.tmp. Associated IP addresses include 137.74.163[.]43 and 185.45.193[.]123. Another version was spotted on 7/4/2017 appending .mole00 to file names.

7/5/2017: A new version of CryptFile2/CryptoMix, dubbed Azer, was discovered. It encrypts the file name and appends -email-[email_address].azer. An example provided by Bleeping Computer displays the following file name after encryption: 32A1CD301F2322B032AA8C8625EC0768-email-[webmafia@asia.com].AZER
Azer does not require a network connection to perform the encryption process which launches from the %AppData% folder and embeds ten RSA-1024 public encryption keys. It drops a ransom note named _INTERESTING_INFORMACION_FOR_DECRYPT.TXT.
Email addresses associated with Azer include: webmafia@asia.com, donald@trampo.info

7/14/2017: A new version, dubbed Exte, appends .exte to the names of encrypted files and drops a ransom note named _HELP_INSTRUCTION.TXT. It uses the same 10 public RSA keys as the Azer version. Emails associated with this version include: exte1@msgden.net, exte2@protonmail.com, and exte3@reddithub.com

7/20/2017: New versions append .NOOB and .ZAYKA to the names of encrypted files.

8/7/2017: New versions append .CNC and .OGONIA to file names and drop a ransom note named _HELP_INSTRUCTION.TXT.

8/18/2017: A new version modifies the file names and appends the extension .ERROR. Associated email addresses include: error01@msgden.com, error02@webmeetme.com, and error03@protonmail.com. This version does not require a connection to a C2 server to complete the encryption process.

8/25/2017: A new version changes the names of encrypted files to 32-digits comprised of alphanumeric characters and appends .EMPTY to the end. It also drops a ransom note named _HELP_INSTRUCTION.TXT and deletes Shadow Volume Copies to prevent data restoration by the victim. Associated email addresses include: empty01@techmail.info, empty02@yahooweb.co, empty003@protonmail.com

9/1/2017: A new version changes the names of encrypted files to 32-digits comprised of alphanumeric characters and appends .arena to the end. It also drops a ransom note named _HELP_INSTRUCTION.TXT. This version does not require a connection to a C2 server to complete the encryption process.

9/21/2017: A new version appends .shark to the names of encrypted files and drops a ransom note named _HELP_INSTRUCTION.TXT.  It contains 11 public RSA-1024 encryption keys used to encrypt the AES key designated to encrypt the infected system's files. This version does not require a connection to a C2 server to complete the encryption process. Associated email addresses include: shark01@msgden.com, shark02@techmail.info, shark003@protonmail.com

  • Proofpoint provides more information about CryptFile2 here and here.
  • Proofpoint provides more information about the Mole02 version of CryptFile2 here.
  • Avast provides a free decryption tool for CryptFile2/CryptoMix here.
  • NoMoreRansom.org provides a free decryption tool for Mole here.
  • Bleeping Computer provides a free decryption tool for Mole02 here.