CryptoShield 1.0

CryptoShield 1.0, a variant of CryptFile2/CryptoMix, targets Windows OS and is currently being distributed via the EITest malware campaign and the RIG exploit kit. Victims get infected by this variant by visiting websites hosting malicious JavaScript code designed to launch code from another website that then, in turn, activates the exploit kit. The exploit kit then takes advantage of vulnerabilities in unpatched software in order to download the ransomware onto the victim’s system. Once downloaded, CryptoShield 1.0 generates a unique ID and encryption key for the victim, uploads them to its C2 server, and then begins encrypting targeted files on the system using AES-256 encryption. It also encrypts the file names using ROT-13 and appends .CRYPTOSHIELD to the end of them. File names can be decrypted manually by using an online ROT-13 encryption/decryption tool such as the one provided on CryptoShield also drops a ransom note named # RESTORING FILES #.HTML and # RESTORING FILES #.TXT in each folder. It disables Windows startup recovery and deletes Shadow Volume Copies to prevent file restoration. It displays a fake error, a UAC prompt, and then displays a ransom note to the victim that threatens to double the price of the ransom if the original amount is not paid within 72 hours. The ransom payment amount is not listed on the ransom note and is currently unknown.

UPDATE 2/7/2017: CryptoShield 1.1 has been discovered and includes new contact emails res_sup[@i], res_sup[@], and res_reserve[@]

UPDATE 2/24/2017: A new variant appends .CRYPTOSHIEL to file names.

  • Bleeping Computer provides more information about CryptoShield 1.0 here.
  • Avast provides a free decryption tool for CryptoShield/CryptoMix here.