CryptoMix family received another update - 0000 ransomware virus

CryptoMix is back with .0000 file extension

CryptoMix 0000 ransomware was released

Developers of CryptoMix[1] presented two new versions of the ransomware in the middle of November 2017. Only a few days have passed after the release of XZZX virus, and the cyber community was hit by the new 0000 ransomware.[2] However, apart from the different file extension, nothing else has changed a lot.

Both 0000 and XZZX viruses use the same data encryption model. Malware uses a combination of 11 public RSA-1024 and AES ciphers to make files inaccessible. The recent version of the crypto-malware appends .0000 file extension to targeted files.

The virus continues targeting the most popular file types and might delete Shadow Volume Copies in order to cause more damage to victims and prevent successful recovery with third-party tools. Unfortunately, it’s still impossible to recover from destructive behavior of the file-encrypting virus. Thus, users are advised to create backups to keep personal files safe from a dangerous cyber

A bunch of new emails for communication

The ransom payment instructions did not change a lot as well. Criminals still use the same strategy and the same ransom note – _HELP_INSTRUCTION.TXT. Authors of the 0000 virus ask to contact them via one of the four new emails in order to know how to restore files:


But there’s not much to know about. Authors of the ransomware just want victims to pay the ransom in Bitcoins. The ransom note does not reveal how much dollars in Bitcoins people have to pay. However, it might be set based on the size of the encrypted files. The more data it corrupted, the more you may have to pay.

However, paying the ransom should not be considered. There’s no doubt that success of the CryptoMix ransomware family is based on virus code and victims’ willingness to pay the ransom.[3] However, not each of the payment results in received decryptor and data recovery. Risking to lose few hundreds or even a thousand dollars is not the best idea.

Taking precautions is the best way to avoid ransomware

CryptoMix family is known since 2016. Numerous versions of malware have already stolen files from hundreds of thousands computer users who fell for crooks’ tricks. While new variants keep emerging, we want to remind the major security tips that you should follow each time you connect to the Internet:

  • Never open spam emails and their attachments. Phishing emails[4] are the primary method how ransomware viruses are being spread in general. Thus, before opening or clicking any content, you should double-check the information and make sure that it's safe to do it.
  • Keep Windows OS and software updated. 0000 ransomware, as well as other variants of CryptoMix, might take advantage of outdated software and vulnerabilities to infiltrate the device. People who use unsupported versions of Windows should consider upgrading or at least installing available patches.[5]
  • Do not download software or updates from pop-ups. If some annoying pop-up claims that your device has been infected with a virus or warns about missing updated, ignore it. These alerts are fake. Legit updates and downloads are available on the official developers’ website.
  • Avoid visiting potentially dangerous websites, such as gaming, gambling, adult-themed or similar.

Installing antivirus software also helps to reduce your chances of encountering the file-encrypting virus. Keep in mind that even the best security program cannot protect you 100% if you download illegal programs, visit potentially dangerous video streaming sites or do other risky activities.

About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

Olivia Morelli is News Editor at She covers topics such as computer protection, latest malware trends, software vulnerabilities, data breaches, and more.

Contact Olivia Morelli
About the company Esolutions