Persistent CryptoMix ransomware gets livelier than ever before

CryptoMix developers are determined to embed their names in the ransomware history

CryptoMix ransomware continues evolving

Though CryptoMix ransomware[1] did not receive such global notorious fame as Locky or Cerber and the malware itself might not be as aggressive as the latter crypto threats, however, its story is no less intriguing.

The fact that the malware has bred multiple versions since 2016 suggests that the developers are desperately seeking to fortify their position as the authors of destructive and intimidating world-class threat. But the question is: do they succeed?

From CryptoShield to CK ransomware

The story of CryptoMix development might bring a smile to some users. The first signs of the threat have been recorded in May 2016. However, after a short while, cyber security specialists were able to counterstrike the malware traffic and released the decryptor.

Ironically, since last year, the authors of the threat have manifested a magnificent stamina and determination: new versions have kept arising.

Thus, throughout this time period, we have seen its subsequent versions:

  • CryptoShield 1.1 and 2.0 variations. The ransom message resembles the one shown by Locky; presents several email addresses such as,, and
  • Revenge ransomware joined forces with RIG exploit kit to expand the distribution scale.
  • Mole and Mole02 editions tend to spread via fake USPS emails.
  • CryptoMix Wallet infection takes some features from Dharma virus family as it appends [].ID[16 unique characters].WALLET extension to the encrypted files
  • Zayka and Noob threats use the same ransom note – _HELP_INSTRUCTION.TXT – and the email address – – for instructions.[2]
  • CK virus is a follow up to the previous two with just a few changes in the number of contact email addresses.

Recent activity and the introduction of new features imply that the ransomware developers are getting serious. They have not only boosted the traffic of their threats by exploiting RIG exploit kit’s capabilities, but they also change the technical capabilities of certain threats. For instance, Zayka virus functions as a hybrid extortion tool.

Though this family of crypto-malware has indeed developed into a menacing and full-fledged ransomware threats, cybersecurity specialists continue to battle their authors. Recently they checkmated their Mole02 virus by releasing a decrypter.[3]

Future forecasts

Observing the rate and direction this malware heads to, underestimating and hoping that IT experts will be able to crack the malware each time might be a mistake. CryptoMix developers have manifested a great progress.

Thus, the virtual community should remain vigilant. Since the malware does not only assault via RIG, exploit kits, trojans but via emails as well, attention becomes a valuable weapon.

About the author
Julie Splinters
Julie Splinters - Anti-malware specialist

Julie Splinters is the News Editor of 2-spyware. Her bachelor was English Philology.

Contact Julie Splinters
About the company Esolutions