CryptoMix ransomware demands payment for fake children foundation

CryptoMix ransomware claims that the ransom paid for encrypted data later goes to a medical children charity

CryptoMix ransomware takes advantage of childrenCryptoMix ransomware uses children foundation stories about sick children to make people pay the ransom.

The notorious CryptoMix ransomware[1] has just renewed its activity, according to researchers at Coveware.[2] In the latest campaign, virus developers are trying to represent themselves as a medical children charity, so the ransom note delivered after virus infiltration contains real stories about kids and their families. By using stolen data and pictures of sick children from the real children foundation, malware developers are seeking to make people more willing to pay the ransom.

After testing the latest example of Cryptomix, experts were shocked after finding claims saying that ransomware developers are the International Children Charity Organisation which is ready to send money for sick children. In the lengthy message, the user is advised to contact the developer in less than 24 hours because after that the price doubles.

According to the ransom note, the main idea behind this payment is that children could receive the required medical help. Also, there is a claim that your name will be presented in the history of the charity. However, paying is not beneficial for anyone. If you contact these criminals, you may get into bigger trouble or lost your data or money permanently.[3]

The main of this campaign is to play with feelings, as Coveware wrote in their report:

We are guessing this tactic is meant to assuage the moral hazard associated with paying a ransom. It goes without saying that these cyber criminals did think this through. It is poignantly obvious that the charity is fake, and that the details of the child's case are lifted from other sites.

Sensitive stories about children are stolen from the real foundation

When victims attempt contacting these virus developers via the email, yet another email from the Worldwide Children Charity Community appears in their feed that includes more sensitive information about the children that need medical care. The whole profile reveals photos and family history of the particular child.

Also, the email contains the potential diagnosis of the kid and the amount of money he or she needs to get proper medical help, as well as the amount of money raised. This email has the message displayed on the One Time Secret site where you can share a post that can only be read once before it is deleted. This is the way that developers demand a ransom.[4]

When victims follow up with the provided link, they get the additional message stating about ransom payment. Once the charity payment is done, they should receive the decryptor for files encrypted by Cryptomix. However, even after getting money, virus developers continue to impersonate the children charity to lure people even more:

First of all We want to say THANK YOU! Soon one of the children foundation will receive a medical help from Your name! It's a great moment!

CryptoMix ransomware is still a big threat, the research shows

The initial attack of Cryptomix was spotted in 2016 and was one of the most active threats this time.[5] However, in 2018 the activity of this threat decreased and virus researchers were almost sure that the ransomware has stopped its distribution. As the recent example reveals, they were wrong.

Previously, the virus worked under typical rules: after locking the target data, it presented the ransom note for its victim which encouraged him/her to send a message to its developers via the given email address. This way, ransomware creators notified their victims about ransom payments and other steps needed to unlock encrypted files.

However, stories about the sick children is a completely new turn. As the research reveals, they were taken from official crowdfunding websites, charities or news sites. People have always been vulnerable to such stories, so they are likely to fall for such tricks.

To prevent ransomware, make sure you keep your system protected. This is the first stage while trying to protect yourself from scams and money or even identity loss. Reviewedbypro could be a great source for finding an anti-virus or anti-virus that suits your requirements. Besides, if you were unlucky to get infected with the Cryptomix, note that there is a free decrypter by Avast for some of its versions.[6]

About the author
Julie Splinters
Julie Splinters - Anti-malware specialist

Julie Splinters is the News Editor of 2-spyware. Her bachelor was English Philology.

Contact Julie Splinters
About the company Esolutions