CryptFile2

CryptFile2 targets Windows OS and is distributed via the Nuclear and Neutrino exploit kits. More recently, it has been spread via large-scale email campaigns designed to primarily target U.S. government agencies and educational institutions. The subject of these emails promise discounted flights from American Airlines and, within the body of the emails, there are embedded URLs leading to downloadable Microsoft Word documents containing malicious macros. If these macros are enabled by the recipient, the ransomware payload downloads and executes on the system. CryptFile2 contacts its C2 server and requests a file named default.jpg and then encrypts targeted files, appending a combination of a unique victim ID number and the attacker’s email address to the encrypted file names in the following format: .id_[personalid]_[attackeremail].scl. The ransom payment demand for CryptFile2 is currently unknown.

UPDATE 1/4/2017: CryptFile2 has recently been rebranded as CryptoMix.

UPDATE 1/23/2017: A new version of CryptFile2, also known as CryptoMix, appends .rdmk to encrypted file names and drops a ransom note named INSTRUCTION RESTORE FILE.txt.

UPDATE 3/15/2017: A new version, dubbed Revenge, is being distributed via the RIG exploit kit. It displays a fake alert, uses AES-256 encryption, and appends .REVENGE to encrypted file names. It also drops a ransom note named # !!!HELP_FILE!!! #.txt. Current email addresses used by the hackers behind this campaign include rev00@india.com, revenve00@writeme.com, and rev_reserv@india.com. There is currently no free tool available to decrypt this version.

UPDATE 4/13/2017: A new version, dubbed Mole, is distributed via spam emails masquerading as shipping notifications. The subject line of the emails suggests that there is a problem delivering the recipient's package in an attempt to convince the recipient to click on the malicious link included within the body of the email. The link actually points to a fake Microsoft Word Online website that displays text suggesting a document cannot be viewed and that a plugin needs to be installed by the end-user in order to continue. If the download button is clicked, one of two files will be downloaded: plugin-office.exe or pluginoffice.exe. If either of these files are opened, Mole will begin the installation process. It will display a UAC prompt to the user to request administrative privileges. If granted, Mole establishes communication with its C2 server and sends the unique victim ID back to the attacker and receives a RSA-1024 public encryption key used to encrypt the AES encryption key that is used to encrypt the victim's files. Mole stops various services on the system, including Windows Defender, Windows Update, and Windows Error Reporting, disables Windows startup recovery, and deletes the Shadow Volume Copies. Files encrypted by Mole display the following naming convention: [32_hex_chars].MOLE - i.e., 4E47636C1F31519446A78F711F4A1670.MOLE. It also drops a ransom note named INSTRUCTION_FOR_HELPING_FILE_RECOVERY.TXT. Currently, there is no free tool available to decrypt this version.

5/1/2017: A new version, dubbed Wallet Ransomware by Bleeping Computer, uses the following naming convention for encrypted files: .[EMAIL_ADDRESS].ID[VICTIM._16_CHAR_ID].WALLET. It also drops a ransom note named #_RESTORING_FILES_#.TXT. Current email addresses associated with this campaign include shieldo@usa.com, admin@hoist.desi, and crysis@life.com. There are currently no free decryption tools available for this version and the distribution method is unknown.

6/20/2017: A new version of Mole has been impacting victims across the globe, with one reported case to date in New Jersey. Analysis suggests that this ransomware campaign uses malicious advertising, or malvertising, that redirects victims to the Stegano/Astrum exploit kit to deliver the payload. It appends .mole02 to the names of encrypted files and drops a ransom note named _HELP_INSTRUCTION. Executable files associated with this version include mopslb.tmp and ldmso.tmp. Associated IP addresses include 137.74.163[.]43 and 185.45.193[.]123.

  • Proofpoint provides more information about CryptFile2 here and here.
  • Proofpoint provides more information about the Mole02 version of CryptFile2 here.
  • Avast provides a free decryption tool for CryptFile2/CryptoMix here.
  • NoMoreRansom.org provides a free decryption tool for Mole here.