February 01, 2017

A new CryptoMix, or CrypMix, variant called CryptoShield 1.0 Ransomware has been discovered by ProofPoint security researcher Kafeine being distributed via EITest and the RIG exploit kit.

As a note, in this article I will be calling this ransomware CryptoShield as that will most likely be how the victim's refer to it. It is important to remember, though, that this ransomware is not a brand new infection, but rather a variant of the CryptoMix ransomware family.

How Victim's Become Infected with CryptoShield 1.0

CryptoShield is being distributed through sites that have been hacked or compromised so that when a visitor goes to the site, they will encounter the EITest attack chain. EITest is a JavaScript attack code that is injected into sites so that it will be executed by visitors. In the attack chain noted by Kafeine, EITest will load the RIG exploit kit that will further download and install the CryptoShield ransomware on the visitors computer.

This attack can be seen below where a visitor goes to the compromised site and encounter the EITest script. This script then launches code from another site that activates the exploit kit in order to install CryptoShield.

rig exploit kit

                                                                                     Rig Exploit Kit Traffic
                                                                                       Source: Kafeine

As exploit kits use vulnerabilities in installed program to infect a computer, it is important that users make sure that all programs have the current updates installed. This is especially true for those programs that interact with online documents or sites. This means that updates for programs like Adobe Flash & Reader, Oracle Java, and Windows should always be installed when they are made available.

How the CryptoShield 1.0 Variant Encrypts a Victim's Files

Once the ransomware executable is downloaded and executed on the victim's computer, it will generate a unique ID for the victim and an encryption key. The infection will then upload the unique ID and private encryption key to its Command & Control server. It will then proceed to scan the computer for targeted files and encrypt them.

The list of extensions targeted by CryptoShield are:
CryptoMixWhen CryptoShield encounters a targeted file it will encrypt it using AES-256 encryption, encrypt the filename using ROT-13, and then append the .CRYPTOSHIELD extension to the encrypted file. For example, a file called test.jpg would be encrypted and renamed as grfg.wct.CRYPTOSHIELD.  You can decrypt the filenames by using any ROT-13 encryptor, such as

In each folder that CryptoShield encrypts a file, it will also create ransom notes named # RESTORING FILES #.HTML and # RESTORING FILES #.TXT.

encrypted files                                                                                       Encrypted Files

During this process, the ransomware will issue the following commands to disable the Windows startup recovery and to clear the Windows Shadow Volume Copies as shown below.
Cryptomix1CryptoShield will then display a fake alert stating that there was an application error in Explorer.exe. At first, I was not sure if this was an error produced by the ransomware or just a crashing explorer.exe. As you read the alert closely, though, you can see spelling mistakes such as "momory" and an odd request that you should click on the Yes button in the next Window "for restore work explorer.exe". The broken English really should have been the giveaway for me.

fake alert                                                                                             Fake Explorer.exe Alert

Once you press OK on the above prompt, you will be presented with a User Account Control prompt, which asks if you wish to allow the command "C:\Windows\SysWOW64\wbem\WMIC.exe" process call create "C:\Users\User\SmartScreen.exe" to execute. This explains why the previous alert was being shown; to convince a victim that they should click on the Yes button in the below UAC prompt.

wmic uac                                                                   UAC Prompt for the Launch of the SmartScreen.exe Executable

Once a victim clicks Yes, the ransomware will start again and display the # RESTORING FILES #.HTML ransom note, which is shown below.

html ransom note                                                                                     HTML Ransom Note

This ransom note contains information regarding what happened to your files, a personal identification ID, and three email addresses that can be used to contact the ransom developer for payment instructions. The current email addresses are This email address is being protected from spambots. You need JavaScript enabled to view it.,This email address is being protected from spambots. You need JavaScript enabled to view it., and This email address is being protected from spambots. You need JavaScript enabled to view it..

Unfortunately, as already stated there is no way to currently decrypt files encrypted by CryptoShield for free. For those who wish to discuss this ransomware or receive support, you can always use our CryptoMix or CrypMix Ransomware Help Topic (.code, .Cryptoshield, scl extension).

File Associated with the CryptoShield CrypMix Variant:
crypto2Registry Entries Associated with the CryptoShield CrypMix Variant:
crypto4Network Communication:
crypto5Text of Ransom Note:
crypto7Text of Fake Explorer.exe Alert:
crypto8CryptoShield 1.0 Associated Emails:
News Courtesy :