February 01, 2017
A new CryptoMix, or CrypMix, variant called CryptoShield 1.0 Ransomware has been discovered by ProofPoint security researcher Kafeine being distributed via EITest and the RIG exploit kit.
As a note, in this article I will be calling this ransomware CryptoShield as that will most likely be how the victim's refer to it. It is important to remember, though, that this ransomware is not a brand new infection, but rather a variant of the CryptoMix ransomware family.
How Victim's Become Infected with CryptoShield 1.0
This attack can be seen below where a visitor goes to the compromised site and encounter the EITest script. This script then launches code from another site that activates the exploit kit in order to install CryptoShield.
Rig Exploit Kit Traffic
As exploit kits use vulnerabilities in installed program to infect a computer, it is important that users make sure that all programs have the current updates installed. This is especially true for those programs that interact with online documents or sites. This means that updates for programs like Adobe Flash & Reader, Oracle Java, and Windows should always be installed when they are made available.
How the CryptoShield 1.0 Variant Encrypts a Victim's Files
Once the ransomware executable is downloaded and executed on the victim's computer, it will generate a unique ID for the victim and an encryption key. The infection will then upload the unique ID and private encryption key to its Command & Control server. It will then proceed to scan the computer for targeted files and encrypt them.
The list of extensions targeted by CryptoShield are:
When CryptoShield encounters a targeted file it will encrypt it using AES-256 encryption, encrypt the filename using ROT-13, and then append the .CRYPTOSHIELD extension to the encrypted file. For example, a file called test.jpg would be encrypted and renamed as grfg.wct.CRYPTOSHIELD. You can decrypt the filenames by using any ROT-13 encryptor, such as rot13.com.
In each folder that CryptoShield encrypts a file, it will also create ransom notes named # RESTORING FILES #.HTML and # RESTORING FILES #.TXT.
During this process, the ransomware will issue the following commands to disable the Windows startup recovery and to clear the Windows Shadow Volume Copies as shown below.
CryptoShield will then display a fake alert stating that there was an application error in Explorer.exe. At first, I was not sure if this was an error produced by the ransomware or just a crashing explorer.exe. As you read the alert closely, though, you can see spelling mistakes such as "momory" and an odd request that you should click on the Yes button in the next Window "for restore work explorer.exe". The broken English really should have been the giveaway for me.
Fake Explorer.exe Alert
Once you press OK on the above prompt, you will be presented with a User Account Control prompt, which asks if you wish to allow the command "C:\Windows\SysWOW64\wbem\WMIC.exe" process call create "C:\Users\User\SmartScreen.exe" to execute. This explains why the previous alert was being shown; to convince a victim that they should click on the Yes button in the below UAC prompt.
UAC Prompt for the Launch of the SmartScreen.exe Executable
Once a victim clicks Yes, the ransomware will start again and display the # RESTORING FILES #.HTML ransom note, which is shown below.
HTML Ransom Note
Unfortunately, as already stated there is no way to currently decrypt files encrypted by CryptoShield for free. For those who wish to discuss this ransomware or receive support, you can always use our CryptoMix or CrypMix Ransomware Help Topic (.code, .Cryptoshield, scl extension).
File Associated with the CryptoShield CrypMix Variant:
Registry Entries Associated with the CryptoShield CrypMix Variant:
Text of Ransom Note:
Text of Fake Explorer.exe Alert:
CryptoShield 1.0 Associated Emails:
News Courtesy : https://www.bleepingcomputer.com/news/security/cryptomix-variant-named-cryptoshield-1-0-ransomware-distributed-by-exploit-kits/