Connect with us

Hi, what are you looking for?


Malware & Threats

RIG Exploit Kit Drops New CryptoMix Ransomware Variant

A new variant of the CryptoMix ransomware is being distributed via the RIG exploit kit (EK), security researchers have discovered.

A new variant of the CryptoMix ransomware is being distributed via the RIG exploit kit (EK), security researchers have discovered.

The distribution of CryptoMix was previously associated with RIG, which has been used to drop other ransomware families, including Cerber. In the past, the threat was also associated with the activity of one of the long-standing infection chains out there, namely EITest, and the new distribution campaign features it as well.

EITest, which has been distributing malware such as the Spora ransomware, Gootkit information stealer, and the Chthonic and Ursnif banking Trojans, among others, has seen some changes since October 2016, when it stopped using a gate between the compromised website and the EK landing page, and no longer employed obfuscation for the scripts injected on legitimate sites.

The campaign makes use of two variants of the RIG exploit kit, namely RIG-E (or Empire Pack) and Rig-V (an improved, “VIP” version of the EK), and was most recently associated with a malware distribution campaign specifically targeting users of the Chrome browser on Windows computers.

As mentioned above, CryptoMix (also known as CryptFile2), has been distributed through EITest and RIG before, and the only thing that changed in this regard recently is the ransomware variant, which BleepingComputer refers to as CryptoShield 1.0.

Similar to other EITest attacks, as soon as a victim accesses a compromised site, the injected code redirects them to the RIG EK’s landing page. The exploit kit then attempts to leverage vulnerable software on the potential victim’s machine and, if successful, installs the newly discovered ransomware variant.

Once installed on the compromised computer, the malware generates a unique ID for the machine, along with an encryption key, both of which are then uploaded to the command and control (C&C) server. Next, the malware starts scanning the computer for targeted files, and then proceeds to encrypt them. The ransomware targets over 400 file extensions.

Advertisement. Scroll to continue reading.

The new CryptoMix variant encrypts every file using AES-256 encryption, while also encrypting the filename using ROT-13, and appending the .CRYPTOSHIELD extension to it. The malware creates ransom notes in each of the folders where encrypted files are located, while also attempting to disable the Windows startup recovery and to delete the Windows Shadow Volume Copies, so as to prevent users from recovering their data.

Next, the malware displays a fake alert informing the user that Exporer.exe has encountered a problem. Only an “OK” button is available on the window, and, when the user clicks it, a User Account Control prompt is displayed, requesting permission to execute a process. If the user agrees, the ransomware displays a note informing them on the infection and how they can pay the ransom to recover the files.

The note refers to the ransomware as CryptoShield 1.0 and provides victims with three email addresses they can contact to kick off the ransom payment and file recovery process. The ransom note is essentially unchanged from what CryptoMix was dropping last year, except for the new malware name and the use of different email addresses in the newly spotted campaign.

Related: Ransomware Operators Show Reputable “Customer” Service

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...