CryptoMix keeps expanding: the new variant Mole66 spotted on the wild

CryptoMix ransomware rampage continues in 2018

The latest CryptoMix ransomware version, dubbed as Mole66, has been detected yesterday.^[1] Distributed via malspam and exploit kits, the ransomware targets Windows OS users around the globe.

Although CryptoMix has never achieved such a “fame” as Locky or Cerber, its developers do not give up and seek to fortify the position of the ransomware by continuously updating it. It is estimated that it currently has 31 versions, the latest of which are Tastylock, Server, System, and Mole66.

Authors of Mole66 make the virus difficult to crack

Each CryptoMix ransomware variant is critical. They are programmed in an extremely complicated way to root deep into the system and to initiate multiple changes under core system's folders and processes to prevent easy Mole66 removal and decryption.

According to experts, likewise most of the CryptoMix versions, Mole66 runs scripts via Command Prompt and uses Administrative privileges. This way, it forcefully removed Volume Shadow Copies,^[2] which are often used for retrieving

• damaged or deleted data. Additionally, it does these changes:
• disable startup repair;
• blocks Windows Recovery mode;
• clear event logs.

Despite the minor changes, the ransomware is pretty standard. It uses AES-256 cipher^[3] to take people's files hostage. After that, it creates a text file on PC's desktop and demands to pay the ransom in Bitcoins^[4] within 72 hours.

Malware researchers pointed out to the fact that the ransomware scans for Russian encoding on a target system. If it detects the Russian settings by default, it quits encryption and does not initiate other malicious activities that we described above.

Pay the ransom or not to pay? A question that's easy to answer

Mole66 is not an exclusive member of the CryptoMix ransomware. It locks the files and then instructs the victim to exchange the currency into Bitcoins and make the payment within three days. Sadly, but developers of this virus does not seem to be very creative. All they indicate is the following information:

Contents of the note on redemption:
!!! All your files are encrypted !!!
What to decipher write on mail alpha2018a@aol.com
Do not move or delete files !!!!
— Your ID: ***** —
!!! You have three days otherwise you will lose all your data. !!!

Even though crooks encourage victims to pay a huge redeem asap, experts do not recommend paying the ransom.^[5] Peter Coroneos, the former chief executive of the Internet Industry Association and an expert on cyber policy, claims by paying the ransom people are quite naive since criminals are not the most scrupulous persons.

You may have to be pragmatic this time and hope you’re dealing with a reliable ransomer.

Assoc Prof Mark Gregory, the leader the network engineering research group at RMIT University” adds to the subject:

These people are criminals, and paying money to a criminal is never a good idea. However, if it’s a trade-off between losing your lifetime’s family photos and making a payment to a criminal, then it’s up to the individual to make that judgment call.

Attacks are growing, but you can avoid them

Despite the fact that many CryptoMix versions have already been cracked and can be decrypted using a free decryptor, its developers are not going to step aside.

Mole66 has been released less than a month after the previous CryptoMix virus, dubbed as System was rolled out. If it's going to evolve in such a rapid pace, it will be a challenging task for white hats^[6] to crack each new version before it goes viral.

Keep in mind that there's no hundred percent protection from ransoware. The only reliable way to protect yourself from data loss is backup, backup, backup. Create backups at least for the most important files and you won't have to nervous after discovering your files locked.