New year brings new versions of CryptoMix ransomware

Developers of CryptoMix came back with Tastylock and Server ransomware versions

New year brings new versions of CryptoMix ransomware

CryptoMix[1] is one of the biggest and well-known ransomware families that started an illegal business in 2016. The beginning of 2018 brought two more versions of this malware – Tastylock[2] and Server ransomware. Just like the previous variants, these two are willing to take victim’s files to hostage and convincing them into paying the ransom.

Authors of CryptoMix ransomware is known for creating almost identical versions of the virus. Distribution methods and operation peculiarities remain similar. However, they changed the appended file extension to the targeted data and provided different contact email addresses.

Furthermore, the size of the ransom, which is required for getting encrypted data back, is a mystery. Cyber criminals continue telling the exact sum of money once victims send them an email. However, paying for ransomware developers is tricky and risky, so it’s better to take all security measures to avoid infiltration of recent versions of CryptoMix.

Tastylock CryptoMix ransomware was a Christmas gift from criminals

Malware researchers spotted Tastylock malware just around the Christmas. Just like the name suggests, it appends .tastylock file extension to the targeted documents, pictures, audio, images and other targeted files.

Additionally, it renames them with a string of random numbers and characters. Thus, after the attack, it’s impossible to recognize encrypted documents. Unfortunately, corrupted files cannot be decrypted with third-party tools yet. Consequently, victims who do not have backups might be interested in the recovery possibilities provided in the ransom note (still not recommended).

As soon as all files are encrypted, Tastylock drops a ransom note called _HELP_INSTRUCTION.TXT. If you follow the news from this ransomware campus, you might remember that the same name of the ransom-demanding file was used before.

Criminals still ask to send unique victim’s ID number. However, this time they are using only one contact email – The text of the message also differs from the ones we have already seen:

All you files an encrypted!
For decrypt write DECRYPT ID to
YOU DECRYPT-ID-[id] number

Do not change!
Do not move files!
Do not use other programs (they do not work)!
You can lose your files if you do not follow the instructions!

As you already know, crooks are not lying. Third-party tools won’t help to restore encrypted files. However, it does not mean that you should not try to get back at least some of the corrupted data if you do not have backups. Thus, in case of the attack, we encourage you to remove Tastylock and look up for safe recovery solutions.

Server CryptoMix ransomware shows up in the first week of this year

In the first week of 2018, researchers reported about another CryptoMix version that appends .SERVER file extension. Due to this feature, malware was named as Server CryptoMix ransomware. Further data encryption and operation methods were not changed. Malware renames files and delivers a _HELP_INSTRUCTION.TXT file too.

As you can see, it uses the same name of the ransom note as Tastylock. However, the content of the ransom-demanding message is different. Criminals switched back to the traditional ransom note where they provide five different contact email addresses:

Attention! All Your data was encrypted!
For specific informaiton, please the send us an email with Your ID number:
Please the send email to all email addresses The! We will help You as soon as possible !
DECRYPT-ID- [id] number

Unfortunately, a free and safe to use Server ransomware decryptor has not been released yet. Hence, if you do not have backups, chances to get back your files are low. However, it does not mean that you should take hacker’s offer.

Short reminder on how to avoid ransomware attack

CryptoMix is only one of many ransomware families that are being updated frequently in order to take millions of victims’ files into the hostage. Thus, you should follow these security tips to minimize risk to get your PC infected:

  • Do not open unknown or suspicious email attachments;[3]
  • Do not download illegal programs, videos, movies or similar content;
  • Avoid visiting high-risk websites, such as gaming, gambling or adult-themed;[4]
  • Install all available updates;
  • Invest in reputable antivirus protection;
  • Create and update data backups.[5]
About the author
Lucia Danes
Lucia Danes - Virus researcher

Lucia is a News Editor for 2spyware. She has a long experience working in malware and technology fields.

Contact Lucia Danes
About the company Esolutions