- Apr 26, 2017
- 89
Yesterday, Malwarebytes malware researcher Marcelo Rivero discovered a new variant of the CryptoMix ransomware that is appending the .EXTE extension to encrypted file names. This article provides a brief summary of information related to this new variant.
As we are always looking for weaknesses, if you are a victim of this variant and decide to pay the ransom, please send us the decryptor so we can take a look at it. You can also discuss or receive support for Cryptomix ransomware infections in our dedicated Cryptomix Help & Support Topic.
Changes in the Exte Cryptomix Ransomware Variant
While overall the encryption methods stay the same in this variant, there have been some differences. First and foremost, we have a new ransom note with a file name of _HELP_INSTRUCTION.TXT. This ransom note contains instructions to contact either exte1@msgden.net, exte2@protonmail.com, or exte3@reddithub.com for payment information.
The next noticeable change is the extension appended to encrypted files. With this version, when a file is encrypted by the ransomware, it will modify the filename and then append the .EXTE extension to encrypted file's name. For example, an test file encrypted by this variant has an encrypted file name of 32A1CD301F2322B032AA8C8625EC0768.EXTE.
One point of interest, is that this variant continues to use the same 10 public RSA keys as the previous AZER version. One of these keys will be selected to encrypt the AES key used to encrypt a victim's files. This allows the ransomware to work completely offline with no network communication.
As this is just a cursory analysis of this new variant, if anything else is discovered, we will be sure to update this article.
IOCs
Source: New Exte CryptoMix Ransomware Variant Released
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
