SECURITY EVANGELIST

Psychological manipulation is heavily used in cyber attacks, especially in phishing and ransomware compromise attempts.

As with all online scams, the attackers’ main objective is simple: to make as much money and steal as much data as possible. So, in their malicious pursuit, they’ll come up with new tactics to force their victims into complying with their conditions. Encrypting ransomware, such as CryptoWall or TeslaCrypt, is proof.

So when a new ransomware strain started to circulate a few days ago, it attracted attention.

ransomware discoveries - CERT-RO

Source: CERT-RO’s Facebook page

New ransomware strains are created constantly, so that’s nothing new, but the ransom note in this particular type was quite surprising. It promises to donate the ransom money to charity.

Here’s what the ransom note says, after encrypting all the data on the infected PC:

Dear User,

to decrypt your files You will need a special software with your special unique private key.

Price of software and your private key is 5 bitcoins. With this product you can decrypt all your files and protect Your system!!! Protect!!! Your system will be without any vulnerability.

Also You will have a FREE tech support for solving any PC troubles for 3 years!

You can buy bitcoins through this bitcoin web site https://localbitcoins.com/

Register there and find a nearest Bitcoin seller. It`s easy! Choose more comfortable payment method for buying Bitcoin!

After that You should send 5 bitcoins to the bitcoin wallet address:
1KWJ3rEvKs6z3suztfKv3zKAcqzQa3VVPh

All this process is very easy! It`s like a simple money transfer.

And now most important information:

Your money will be spent for the children charity. So that is mean that You will get a participation in this process too. Many children will receive presents and medical help!

And We trust that you are kind and honest person! Thank You very much! We wish You all the best! Your name will be in the main donors list and will stay in the charity history!

P.S> When your payment will be delivered you will receive your software with private key IMMEDIATELY!

P.P.S> In the next 24 hours your price will be doubled by the Main Server automatically. So now you have a chance to restore your PC with low price!

Best regards,

Charity Team

So it wasn’t enough that they kidnapped the data and set a time limit for the payment, after which the ransom would double, but they had to play the charity card as well?

This line is particularly flabbergasting: “We trust that you are kind and honest person”, given that the victim has no other alternative if he/she doesn’t have a data backup to counteract the attack.

And the ransom is quite hefty as well: 5 bitcoins averages to $2200 at the current price per bitcoin. That is quite expensive!

simple ransomware infection chain

But don’t think that the ransomware’s code is a joke, because the threat is as serious as can be. This new strain, which currently lacks an identifying name, reuses large parts of open-source malware code. For example, this ransomware is a CryptoWall 4 variant and it also includes CryptXXX components.

If you think that you can use the CryptXXX decryption tool on this one, know that the malicious actors behind this strain have fixed the implementation errors which made the decryption tool created by Kaspersky to work.

This new strain is delivered the usual method, through spam emails and drive-by attacks, which have become the norm in ransomware attacks.

The instructions about the payment mention two email addresses: xoomx[@]dr.com and xoomx[@]usa.com in the files dropped on the victim’s system after the encryption is finished.

HELP_YOUR_FILES.html: CryptXXX
HELP_YOUR_FILES.txt: Cryptowall 4.0

The list of file types that this ransomware can encrypt is quite long and it seems that attackers haven’t left anything out:

0.0, 0.1, 1st Arrondissement, .2bp, .3dm, .3ds, .3fr, .3g2, .3gp, .4db, .73i, .7z, .9png, .a3d, .abm, .abs, .abw , .accdb, .accdc, .accde, .accdr, .accdt, .accdw, .accft, .act, .adn, .adp, .af3, .aft, .afx, AGIF, .agp, ai,. ACI, .aif, .aim, .albm, .alf, .ani, .ans, .apd, .apm, .apng, .aps, .apt, .apx, .ar, .arc, .art, .artwork, .arw, .as, .asc, .ascii, .ase, .asf, .ask, .asm, .asp, .asw, .asx, .asy, .at, .aty, .avatar, .awdb, .awp , .awt, .aww, .azz, .ba, .backup, .Bad, .bak, .bay, .bbs, .bdb, .bdp, .bdr, .bean, .bib, .bik, .blend,. blkrt, .bm2, .bmp, .bmx, .bmz, .bna, .bnd, .boc, .bok, .brk, .brn, .brt, .bss, .btd, .bti, .btr, .byu, .bz, .bza, .bzabw, .c, .c4, .c4d, .cal, .cals, .can, .cd5, .cdb, .cdc, .cdg, .cdmm, .cdmt, .cdmtz, .cdmz , .cdr, .cdr3, .cdr4, .cdr6, .cdrw, .cdt, .CF, .cfg, .cfu, .cgm, .chart, .chord, .cin, .cit, .ckp, .class,. clkw, .cma, .cmx, .cnm, .cnv, .cp, .cpc, .cpd, .cpg, .cpp, .cps, .cpt, .cpx, .cr2, .crd, .crwl, .cs, .css, .csv, .csy, .ct, .cv5, .cvg, .cvi, .csv, .cvx, .cwt, .cxf, .cyi, .daconnections, .dacpac, .dad, .dadiagrams, .daf , .daschema, .dat, .db, .db-shm, .db2, .db3, .dbc, .dbf, .dbk, .dbs, .dbt, .dbv, .dbx, .dc2, .dca, .dcb , .dcs, .dct, .dcx, .dd, .ddl, .ddoc, .dds, .ded, .Design, .dgc, .dgn, .dgs, .dgt, .dhs, .dib, .dicom,. diz, .djv, .djvu, .dm3, .dmo, .dmp, .dnc, .dne, .doc, .docm, .docx, .docxml, .docz, .dot, .dotm, .dotx, .dpp, .dpx, .drw, .drz, .dsk, .dsn, .dsv, .dt, .dt2, .dta, .dts, .dtsx, .dtw, .dv, .dvi, .dwg, .dx, .dxb , .dxf, .ecw, .ecx, EDB, .efd, .egc, .eio, .eip, .eit, .email, .emd, .emf, .emlx, .EP, .epf, .epp,. eps, .epsf, .eql, .erf, err, .etf, .euc, .exr, .f, .fadein, .fal, .faq, .fax, .fb2, .fb3, .fbl, .fbx, .fcd, .fcf, .fdb, .fdf, .fdr, .fds, .fdt, .fdx, .fdxt, .fes, .fh3, .fh4, .fh5, .fh6, .fh7, .fh8, .fi , .fic, .fid, .fif, .fig, .fil, .flac, .fli, .fodt, .fol, .Fountain, .fp3, .fp4, .fp5, .fp7, .fpt, .fpx,. FT7, .ft8, .ft9, .ftn, .fwdn, .fzb, .fzv, .g3, .gcdp, .gdb, .gdoc, .gdraw, .save, .geo, .gfb, .gfie, .ggr, .gho, .gif, .gim, .gio, .gl, .glox, .gmbck, .gmspr, .gpd, .gpn, .gro, .grs, .gsd, .gthr, .gtp, .gv, .gwi , .gz, .h, .hbk, .hdb, .hdp, .hdr, .hht, .his, .hpg, .hpgl, .hpi, .hpl, .HPP, .hs, .htm, .html. HWP, .hz, .i3d, .ib, .icn, .icon, .icpr, .idc, .idea, .igt, .igx, .ihx, .iiq, .imd, .indd, .info, .ink, .int, .ipx, .it, .itc2, .itdb, Important note, .iwi, .j, .j2c, .j2k, .jas, .java, .jb2, .jbig, .jbig2, .jbmp, .jbr , .jis, .jng, .joe, .jp2, .jpe, .jpeg, .jpg, .jpg2, .jps, .jpx, .js, .jtx, .jxr, .kdb, .kdc, .kdi,. KDK, .key, .kic, .knt, .kon, .kpg, .kwd, .latex, .lay, .layout, .lbm, .lbt, .lgc, .lit, .ljp, .log, .ltr, .ltx, .lue, .lws, .Listen, .lyx, .m3d, .m3u, .m4v, .ma, .mac, .maf, .man, .map, .maq, .mat, .max, .mb , .mbm, .mbox, .md5, .mdb, .mdf, .mdn, .mdt, .me, .mft, .mgcb, .mgmx, .mgt, .min, .mkv, .mmat, .mng,. mnt, .mob, .mobi, .mos, .mov, .movie, .mp3, .mp4, .mpf, .mpg, .mrg, .mrxs, .msg, .mt9, .mud, .mwb, .mwp, .mxl, .myd, .myl, .ncr, .nct, .ndf, .nfo, .njx, .nlm, .notes, .now, .nrw, .ns2, .ns3, .ns4, .nwctxt, .nyf , .nzb, .obj, .oc3, .oc4, .oc5, .oce, .ocr, .odb, .odo, .ods, .odt, .of, .oft, .openbsd, .oplc, .oqy,. ora, .orf, .ort, .orx, .ota, .otg, .oti, .ott, .ovp, .ow, .owc, .owg, .oyx, .oz, .ozb, .ozj, .p7s, .p96, .p97, .pages, .pal, .pano, .pap, .pas, .pbm, .pc3, .pcd, .pcs, .pct, .pcx, .pdb, .pdd, .pdf, .pdm , .pdn, .pe4, .pf, .pfd, .pff, .pfs, .pfx .pgf, .pgm, .phm, .php, .pi3, .pic, .pict, .pix, .pjpeg,. pjpg, .pjt, .pl, .plantuml, .plt, .pm, .pmg, .png, .pni, .pnm, .pntg, .pnz, .pobj, .pop, .pp4, .pp5, .ppm, .pps, .ppt, .pptm, .pptx, .prw, .ps, .psd, .psdx, .pse, .psid, .psp, .pspbrush, .psw, .PtG, .pth, .ptx, .pu , .puz, .pvj, .pvm, .pvr, .pwa, .pwi, .pwr, .px, .pxr, .py, .pz3, .pza, .pzp, .pzs, .qdl, .qmg,. qpx, .qvd, .r3d, .ra, .rad, .rar, .ras, .raw, .rb, .rctd, .rcu, .rdb, .rdl, .readme, .rgb, .rib, .ris, .RL, .rle, .rli, .rm, .rp, .rpd, .rpt, .RS, .rsb, .rsd, .rsr, .rst, .rt, .rtd, .rtf, .run, .rw2 , .rwl, .rzk, .rzn, .s2mv, .s3m, .saf, .safetext, .sai, .Sam, .SAV, .save, .sbf, .scad, .scc, .sci, .scm,. scriv, .scrivx, .sct, .scv, .scw, .sdb, .sdf, .sdm, .sdoc, .sdw, .sep, .sfc, .sfera, .sfw, .sgm, .SIG, .sk2, .skcard, .SKM, .sla, .slagz, .sld, .sldasm, .slddrt, .sldprt, .sls, .smf, .smi, .smil, .sms, .snagitstamps, .snagstyles, .sob, .spa , .spe, .sph, .spj, .spp, .spq, .spr, .sqb, .sql, .sqlite, .sqlite3, .sqlitedb, .sr2, .srw, ssa, .ssk, .St,. ste, .stm, .stn, .stp, .str, .strings, .stw, .stx, .sty, .sub, .sumo, .sva, .svf, .svg, .SVGZ, .swf, .sxd, .sxg, .sxw, .t2b, .tab, .tar, .tb0, .tbn, .tcx, .tdf, .tdt, .teacher, .tex, .text, .tfc, .tg, .tg4, .tga , .thm, .thp, .thumb, .tif, .tiff, .tM, .tm2, .tmd, .tmp, .tmv, .tmx, .to, .TP, .tpc, .tpi, .trelby,. trm, .tvj, .txt, .u3d, .u3i, .udb, .ufo, .uga, .unauth, .unity, .unx, .UPD, .usertile-ms, .usr, .utf8, .utxt,. v12, .vault, .vb, .vbr, .vc, .vct, .vda, .vdb, .vec, .vml, .vnt, .vpd, .vrml, .vrp, .vsd, .vsdm, .vsdx, .vsm, .vst, .vstm, .vstx, .vw, .wav, .wbc, .wbd, .wbk, .wbm, .wbmp, .wbz, .wcf, .wdb, .wdp, .webdoc, .webp , .WGZ, .wire, .wm, .wma, .wmd, .wmf, .wmv, .WN, .wot, .WP, .wp4, .wp5, .wp6, .wp7, .wpa, .wpb,. wpd, .wpe, .wpg, .wpl, .wps, .wpt, .wpw, .wri, .ws, .wsc, .wsd, .wsh, .x, .x3d, .x3f, .xar, .xbdoc, .xbplate, .xdb, .xdl, .xld, .xlgc, .xll, .xls, .xlsm, .xlsx, .xmind, .xml, .xmmap, .xpm, .xwp, .xx, .xy3, .xyp , .xyw, .y, .yal, .ybk, .yml, .ysp, .z, .z3d, .zabw, .zdb, .zdc, .zi, .zif, .zip, .zw

As it became standard, malicious encryption of the data will affect not only the information on the infected PC, but also data available on the network drives.

At this point, you may ask yourself:

Could all this money really go to charity or is it just another trick?

While there’s no way of telling the truth (at the moment), we can hardly trust cyber criminals to have a kind and generous side to them. Real life is nothing like the movies.

What you can do is follow some top tips to keep your data safe from ransomware and, in case you do get hit, not pay the ransom. Even the FBI came around after last year’s statements, and it now emphasizing that:

The FBI doesn’t support paying a ransom in response to a ransomware attack.

Source.

So it’s up to you to do anything your can to keep your data safe. Remember that having multiple backups is always the best solution.

Later edit [May 6, 2016]: Sightings of this ransomware strain were also reported a few days prior to our article and even earlier, in April.

* This article features cyber intelligence provided by CSIS Security Group researchers.

Ransomware-Decryption-Tools
2016.10.05 QUICK READ

Ransomware Decryption Tools – Unlock Your Data for Free

What is Ransomware
2016.07.07 SLOW READ

What is Ransomware and 15 Easy Steps To Keep Your System Protected [Updated]

The Anti-Ransomware Protection Plan
2016.05.24 SLOW READ

The Anti-Ransomware Protection Plan You Need to Follow Today

Comments

[…] Zaharia, A. (2016). Security alert: New ransomware promises to donate earnings to charity. Heimdal Security. Retrieved from https://heimdalsecurity.com/blog/security-alert-new-ransomware-donate-earnings-charity/ […]

[…] Un nouveau ransomware indique reverser les rançons à des oeuvres de charité […]

[…] CryptMix encrypts the files on the victim’s computer making it unusable. According to Heimdal Security, a well-known anti-malware and cyber security software company, the new ransomware makes use of […]

[…] concreto, el malware fue descubierto por la firma Heimdal Security, qué incluso ha dado a saber distintas “notas de rescate” enviadas a los blancos de estas […]

[…] is not a joke. Heimdal Security disclosed a new variant of ransomware combining CryptoWall 4 and CryptXX. It has all the usual components of […]

[…] concreto, el malware fue descubierto por la firma Heimdal Security, que también ha dado a conocer otras ?notas de rescate? enviadas a los blancos de estas […]

[…] ransomware, CryptMix encrypts the files on the victim’s computer making it unusable. According to Heimdal Security, a well-known anti-malware and cyber security software company, the new ransomware makes use of […]

[…] bitcoin ransomware encrypts the files on the victim’s computer making it unusable. According to Heimdal Security, a well-known anti-malware and cyber security software company, the new ransomware makes use of […]

[…] CryptMix encrypts the files on the victim’s computer making it unusable. According to Heimdal Security, a well-known anti-malware and cyber security software company, the new ransomware makes use of […]

[…] CryptMix encrypts the files on the victim’s computer making it unusable. According to Heimdal Security, a well-known anti-malware and cyber security software company, the new ransomware makes use of […]

[…] ransomware, CryptMix encrypts the files on the victim’s computer making it unusable. According to Heimdal Security, a well-known anti-malware and cyber security software company, the new ransomware makes use of […]

[…] process too,” reads the ransom note sent to victims of a new type of ransomware discovered by Heimdal Security and others. “Many children will receive presents and medical help! And We trust that you are […]

[…] Heimdal Security: Security Alert: New Ransomware Promises to Donate Earnings to Charity […]

[…] CryptMix is a rebel programming that makes it difficult to get to your information unless you hack up a payment. It was initially highlighted by a blogpost by security organization called Heimdal Security. […]

[…] CryptMix is what’s known as “ransomware,” rogue software that makes it impossible to access your data unless you cough up a ransom. It was first highlighted by a blogpost by security company Heimdal Security. […]

[…] Security experts have found a new Trojan Encoder CyptMix, whose distributors promise to deliver the ransom to the children’s charity. However, it is not […]

[…] firma de seguridad Heimdal Security, acaba de descubrir una nueva cepa de ransomware llamada CryptMix y los responsables del ataque […]

[…] CryptMix is what’s known as “ransomware,” rogue software that makes it impossible to access your data unless you cough up a ransom. It was first highlighted by a blogpost by security company Heimdal Security. […]

[…] CryptMix is what’s known as “ransomware,” rogue software that makes it impossible to access your data unless you cough up a ransom. It was first highlighted by a blogpost by security company Heimdal Security. […]

[…] CryptMix is what’s known as “ransomware,” rogue software that makes it impossible to access your data unless you cough up a ransom. It was first highlighted by a blogpost by security company Heimdal Security. […]

[…] CryptMix is what’s known as “ransomware,” rogue software that makes it impossible to access your data unless you cough up a ransom. It was first highlighted by a blogpost by security company Heimdal Security. […]

[…] CryptMix is what's known as "ransomware," rogue software that makes it impossible to access your data unless you cough up a ransom. It was first highlighted by a blogpost by security company Heimdal Security. […]

[…] CryptMix is what’s known as “ransomware,” rogue software that makes it impossible to access your data unless you cough up a ransom. It was first highlighted by a blogpost by security company Heimdal Security. […]

[…] list and will stay in the charity history!” reads the ransom note sent to victims of the CyptMix ransomware shared by the experts at Heimdal Security who spotted the new threat. It is the first time that […]

[…] hardly trust cyber criminals to have a kind and generous side to them,” Heimdal’s Andra Zaharia writes. “Real life is nothing like the […]

[…] hardly trust cyber criminals to have a kind and generous side to them,” Heimdal’s Andra Zaharia writes. “Real life is nothing like the […]

[…] donors list and will stay in the charity history!” reads the ransom note sent to victims of the CyptMix ransomware shared by the experts at Heimdal Security who spotted the new […]

[…] alert about a new ransomware strain. What’s particular about this one it’s that it claims to donate your ransom to children charity. Emotional extortion much? And of course it doesn’t donate anything, it’s just a social […]

[…] donors list and will stay in the charity history!” reads the ransom note sent to victims of the CyptMix ransomware shared by the experts at Heimdal Security who spotted the new […]

[…] donors list and will stay in the charity history!” reads the ransom note sent to victims of the CyptMix ransomware shared by the experts at Heimdal Security who spotted the new […]

[…] donors list and will stay in the charity history!” reads the ransom note sent to victims of the CyptMix ransomware shared by the experts at Heimdal Security who spotted the new […]

[…] process too,” reads the ransom note sent to victims of a new type of ransomware discovered by Heimdal Security and others. “Many children will receive presents and medical help! And We trust that you are kind […]

[…] Security explains in a blog post that the ransomware, known as "CryptMix," borrows from other, better known crypto-ransomware […]

[…] Discovered by Heimdal Security, the ransomware operates in the traditional sense, by encrypting all the data on the PC before demanding the ransom. But the difference lies in the details of the ransom note, which says that the hijacker of your system will donate the money to a children’s charity: “Many children will receive presents and medical help!” […]

[…] Discovered by Heimdal Security, the ransomware operates in the traditional sense, by encrypting all the data on the PC before demanding the ransom. But the difference lies in the details of the ransom note, which says that the hijacker of your system will donate the money to a children’s charity: “Many children will receive presents and medical help!” […]

[…] Discovered by Heimdal Security, the ransomware operates in the traditional sense, by encrypting all the data on the PC before demanding the ransom. But the difference lies in the details of the ransom note, which says that the hijacker of your system will donate the money to a children’s charity: “Many children will receive presents and medical help!” […]

[…] Discovered by Heimdal Security, the ransomware operates in the traditional sense, by encrypting all the data on the PC before demanding the ransom. But the difference lies in the details of the ransom note, which says that the hijacker of your system will donate the money to a children’s charity: “Many children will receive presents and medical help!” […]

[…] to Heimdal Security, the cybercriminals behind the Charity Team ransomware are trying to psychologically manipulate […]

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP