Tag Archives: CryptoMix

June 1st AVIEN resources updates

Updates to (Anti)Social Media

Tomáš Foltýn for ESET: More curious, less cautious: Protecting kids online – “How we can help protect a generation for which digital is the way of the world?”

Updates to Cryptocurrency/Crypto-mining News and Resources

Trend Micro: Rig Exploit Kit Now Using CVE-2018-8174 to Deliver Monero Miner

Updates to GDPR page

For Tech Beacon, Richi Jennings curates some blog-y thoughts on GDPR and what comes next from the EU: Think GDPR was a disaster? EU’s ePrivacy Regulation is worse

Milena Dimitrova for Security Boulevard: GDPR Is Affecting the Way WHOIS Works, Security Researchers Worry – as indeed it is, and indeed they should…

Graham Cluley: An advert against online privacy “NO, YOU CAN TAKE ANYTHING… JUST DON’T TAKE MY APPS!” – “The advertising industry … has its knickers in a twist so tightly about European privacy regulations that it made videos like this to try to sway public opinion”

For Help Net, Arcserve’s Oussama El-Hilali discusses The emergence and impact of the Data Protection Officer. Not a bad article, but extraordinarily US-centric in its assertion that “… one of the lesser known mandates of the regulation is the creation of a completely new role: The Data Protection Officer (DPO).” That role, if not necessarily that job title, has long been known in Europe and the UK as a direct result of the Data Protection Directive 95/46/EC, which it supersedes and the UK’s Data Protection Act(s).

Sophos:  European Commission “doesn’t plan to comply with GDPR” – well, sort of

Updates to Meltdown/Spectre and other chip-related resources

The Register: Arm emits Cortex-A76 – its first 64-bit-only CPU core (in kernel mode) – “Apps, 32 or 64-bit, will continue to run just fine as design biz looks to ditch baggage … Linux and Android, Windows, and other operating systems built for this latest Cortex-A family member are being positioned, or are already positioned, to work within this 64-bit-only zone.”

Also from The Register: Spectre-protectors: If there’s something strange in your CPU, who you gonna call? “Ghostbusters in Chrome 67 stop Spectre cross-tab sniffs and more … Enhanced Spectre-protectors will soon come to the Chrome browser … and upgrades for Windows, Mac and Linux have started to flow.”

Updates to Internet of (not necessarily necessary) Things

Dearbytes: Smartwatches disclosing children’s location

The Register: OMG, that’s downright Wicked: Botnet authors twist corpse of Mirai into new threats – “Infamous IoT menace lives on in its hellspawn”. Summarizes Netscout’s research – OMG – Mirai Minions are Wicked – “In this blog post we’ll delve into four Mirai variants; Satori, JenX, OMG and Wicked, in which the authors have built upon Mirai and added their own flair.”

Updates to Specific Ransomware Families and Types

Bleeping Computer: New Backup Cryptomix Ransomware Variant Actively Infecting Users

Updates to Mac Virus

John Gruber for Daring Fireball: 10 Strikes and You’re Out – the iOS Feature You’re Probably Not Using But Should. The feature he’s referring to is the passcode option “Erase all data on this iPhone after 10 failed passcode attempts”. I don’t have an iPhone, so haven’t really looked into the feature, but it certainly seems that it’s a more useful, less daunting option than you might think.

Paul Ducklin for Sophos: Apple’s iOS 11.4 security update arrives in an iCloud of silence – “We updated to iOS 11.4, because that’s our habit – but Apple still isn’t saying what was fixed yet. How we wish Apple wouldn’t do that!”

Updates to Chain Mail Check

Tomáš Foltýn for ESET: World Cup scams: how to avoid an own goal – “Whether travelling to enjoy the matches in person, or watching from home, fans should be on the lookout for foul play” (I always enjoy Tomáš’s wordplay.)

Snopes: Is Starbucks Installing ‘Shatter-Proof Windows’? – “An image circulating online falsely promised “free coffee for a year” to anyone who could damage the company’s new windows.” Put away that bazooka…

David Harley

Ransomware Roundup – Koolova, KillDisk and more


Perhaps the oddest thing to pop up recently is the Koolova ransomware (which refers to itself as Nice Jigsaw): it encrypts files and threatens to delete them, but supplies a decryption key once the victim has read two articles: Google’s  Stay safe while browsing  and Bleeping Computer’s Jigsaw Ransomware Decrypted: Will delete your files until you pay the Ransom.

Lawrence Abrams: Koolova Ransomware Decrypts for Free if you Read Two Articles about Ransomware. Commentary by Graham Cluley for Tripwire: Ransomware Offers Free Decryption if you Learn About Cybersecurity.

I have to agree with Abrams that there’s something creepy (to say the least) about this. But not only because it cites one of his own articles. Even though the ‘ransom’ isn’t monetary, there are less offensive ways in which someone could make that ‘educational’ point without compromising someone else’s data and without the barely-concealed gloating because of the power they have over the victim but choose not to exercise. And I find it hard to believe that the people behind this are always going to be so ‘nice’. Are they priming the pump for a different kind of attack?


For ESET, Robert Lipovsky and Peter Kálnai have more information on KillDisk’s recent foray into ransomware: KillDisk now targeting Linux: Demands $250K ransom, but can’t decrypt.

They summarize:

The recent addition of ransomware functionality seems a bit unusual, as previous attacks were cyber-espionage and cyber-sabotage operations. Considering the high ransom of around USD 250,000 – resulting in a low probability that victims would pay up, in addition to the fact that the attackers have not implemented an efficient way of decrypting the files, this seems more like a nail in the coffin, rather than a true ransomware campaign.


Meanwhile, the Petya-derived GoldenEye has been targeting German-speaking HR departments as a way into the lucrative corporate ransomware market. According to Checkpoint:

The first attachment is a PDF containing a cover letter which has no malicious content and its primary purpose is to lull the victim into a false sense of security. The second attachment is an Excel file with malicious macros unbeknown to the receiver.

Not a novel approach, but it’s worked well for other types of malware (including Cerber), and I see no reason why it shouldn’t be effective this time, even though (as David Bisson points out):

While those in HR should expect to receive emails from all kinds of people, they shouldn’t give anyone who sends a Microsoft Office document with macros enabled the time of day. In fact, organizations should make sure that every computer in every department disables Office macros by default.


Cert.PL offers analysis of the newly-polished tur^H^H^H CryptFile2, now known as CryptoMix: Technical analysis of CryptoMix/CryptFile2 ransomware

Among its ‘interesting’ features:

  • The ‘insane’ ransom amount (currently 5 bitcoin)
  • There’s a suggestion in the analysis that paying is likely to generate further ransom demands, but not the decryption keys
  • The crooks claim that the ransom will be contributed to a children’s charity, and that the victim will get free PC support. Yeah, right.

In fact, none of this information is particularly new, but the technical analysis is interesting.


A fast-evolving threat appeared on Christmas Eve 2016, but researchers quickly provided free decryptors.

Decryptors are available from Checkpoint and from MalwareHunterTeam’s Michael Gillespie.

Unnamed PHP Ransomware(-ish)

Checkpoint also has a decryptor for the unnamed PHP ransomware also described in its article. In fact, ransomware might be the wrong word in this case, since at present it displays no ransom ‘note’ and has no known channel for paying a ransom.

David Harley

Ransomware Updates (2)

(1) Action Fraud article about DDoS extortion threats by a hacking group: Online extortion demands affecting businesses. Commentary by SC Magazine: Action Fraud warns of new wave of Lizard Squad DDoS attacks

(2) Catalin Cimpanu for Softpedia: Decrypter for Alpha Ransomware Lets Victims Recover Files for Free.

(3) CryptoMix: ransomware that makes the ludicrous claim that the 5 bitcoin ransom will be paid to a children’s charity. Related to CryptoWall 4.0 and CryptXXX: no free decrypter currently available.

David Harley