A new variant CryptoMix ransomware is appending the .EXTE extension to the names of the folders it captures.
The malware was spotted by Malwarebytes malware researcher Marcelo Rivero and was further investigated by Bleeping Computer researchers who noted the encryption methods appear to be the same used in previous CryptoMix attacks, according to a July 14 blog post.
Researchers also noted the latest version continues to use the same 10 public RSA keys as the the previous AZER version, one of which will be selected to encrypt the AES key used to encrypt a victim’s files.
In addition to the new extension, the latest version also includes a new ransom note named of _HELP_INSTRUCTION.TXT. This note contains instructions to contact either email@example.com, firstname.lastname@example.org, or email@example.com for payment information.
While its recommended users don’t pay the ransom, those who do are encouraged to send their decryption keys to researchers who can then scan them for weaknesses.