CryptFile2 targets Windows OS and is distributed via the Nuclear and Neutrino exploit kits. More recently, it has been spread via large-scale email campaigns designed to primarily target U.S. government agencies and educational institutions. The subject of these emails promise discounted flights from American Airlines and, within the body of the emails, there are embedded URLs leading to downloadable Microsoft Word documents containing malicious macros. If these macros are enabled by the recipient, the ransomware payload downloads and executes on the system. CryptFile2 contacts its C2 server and requests a file named default.jpg and then encrypts targeted files, appending a combination of a unique victim ID number and the attacker’s email address to the encrypted file names in the following format: .id_[personalid]_[attackeremail].scl. The ransom payment demand for CryptFile2 is currently unknown.

UPDATE 1/4/2017: CryptFile2 has recently been rebranded as CryptoMix.

UPDATE 1/23/2017: A new version of CryptFile2, also known as CryptoMix, appends .rdmk to encrypted file names and drops a ransom note named INSTRUCTION RESTORE FILE.txt.

UPDATE 3/15/2017: A new version, dubbed Revenge, is being distributed via the RIG exploit kit. It displays a fake alert, uses AES-256 encryption, and appends .REVENGE to encrypted file names. It also drops a ransom note named # !!!HELP_FILE!!! #.txt. Current email addresses used by the hackers behind this campaign include,, and There is currently no free tool available to decrypt this version.

  • Proofpoint provides more information about CryptFile2 here and here.
  • Avast provides a free decryption tool for CryptFile2/CryptoMix here.