CryptoMix ransomware (old ransomware spotted early in 2016) returns with a new trick, ripping data and images from crowdfunding sites and claiming ransomware payments go to the needy.
This old family of ransomware has returned with a new campaign which uses information about children stolen from crowdfunding websites and claims that payments made in exchange for unlocking encrypted files will be donated to good causes.
This CryptoMix is a combination of CryptXXX and CryptoWall ransomware. However, researchers have uncovered a new CryptoMix campaign that looks to make up for its lack of notoriety with this unpleasant new trick. Still, IOC’s, TTP and Encrypting mechanism are unavailable and the attribution of the attack is unclear.
How this Rransomware works?
This ransomware attack begins, like many others, with brute force attacks targeting weak passwords on RDP ports. Once inside the network, the attackers harvest the admin credentials required to move across the network before encrypting endpoints and wiping back-ups.
Victims are then presented with a ransom note that tells them to send an email to the ransomware distributors, who also warn victims not to use any security software against CryptoMix, with the attackers claiming that this could permanently damage the system.
Tricky Ransom Note to lure victims
Obviously, this isn’t the worrying part, but in an effort to lure victims into believing the scam, the CryptoMix distributors appear to have taken information about real children from crowdfunding and local news websites.
The researchers have notified the families of the children affected. The hackers claim that children will receive presents and medical help as a result of the payment but also threaten that the ‘donation’ will be doubled if the payment isn’t received within 24 hours.