MalwareHunterTeam researchers discovered a second variant this week of the CryptoMix ransomware appending the .0000 extension to encrypted files.
The earlier variant was spotted Nov. 13, and appended the .XZZX extension to encrypted file names.
Both variants use the same ransom note in the latest variant earlier one but the latest version instructs users to contact different emails for payment information. The latest variant also contains 11 public RSA-1024 encryption keys that will be used to encrypt the AES key used to encrypt a victim's files and allow the ransomware to work completely offline with no network communication, Researcher Lawrence Abrams said in a Nov. 17 Bleeping Computer blog post.
“With this version, when a file is encrypted by the ransomware, it will modify the filename and then append the .0000 extension to encrypted file's name,” Abrams said in the post. “For example, a test file encrypted by this variant has an encrypted file name of 0D0A516824060636C21EC8BC280FEA12.0000.”
Researchers recommend users always have a reliable and tested backup that can be restored in case of an emergency, such as ransomware attacks. Users should also not open attachments if they don't know who sent them or open attachments until they can confirm that the sender is who they claim to be.
In addition, users should scan attachments with antimalware solutions and make sure all of their operating systems and applications are up to date. CryptoMix has been updated on a regular basis by the various crews using the ransomware.