CryptoMix Virus - How To Remove?

 

CryptoMix is not a completely new variant of ransomware viruses: it has been around ever since April of 2016. It first got attention from security researchers with a name CryptFile2, but now it is more commonly referred to as CryptoMix infection. IT specialists have already emphasized the possibility of people from all over the world getting infected with this infection since it offers Google Translate to understand their message in your native language instead of English. Despite being indicated as a rather one-fold threat, CryptoMix somehow managed to not only successfully infect devices, but also compelled victims to send the demanded sums of money. According to some reports, the price for decryption varies for separate victims, meaning that it can be assigned according to the amount of encrypted files. It is presumable that the ransomware won’t feel coy to require from 5 to 10 BTC (approximately from 4623 to 9246 US dollars). The good news is that security researchers just announced about a possibility to decrypt files that are ruined by CryptoMix virus.

The shady nature of CryptoMix virus

We have seen some gruesome stuff, but hackers of CryptoMix virus are certainly pulling all of the stops to convince people that paying the demanded fee is not only the way to restore files, but to be a generous human being. Since this crypto-variant does not operate with a separate website for payment, users have to contact the hackers by writing letters to xoomx@dr.com or xoomx@usa.com for more information. There seems to be a newer version of CryptoMix ransomware that advises people to contact different emails: enc10@dr.com enc10@usa.com. In our opinion, it would be much more effective for a ransomware virus to possess a website with data instructions for payment. Now, sloppy hackers are wasting time by engaging in conversations with their victims. If you think that ransomware creators can sink to lower: you are wrong. CryptoMix virus can pretend to be a genuinely benevolent infection, concerned with well-being of hospitals or child-care facilities. Some victims confirmed that they were played with a card of decency: who would object to donating money to a sick child? Nevertheless, the problem is that hackers are actually not going to donate the money they receive. In addition to that, they will show their vicious nature by disappearing after the demanded bitcoins are send. The first version of CryptoMix looked like this:

 

This is the note that is left behind by the new version:

Victims indicated that their data was either appended with .code extension or a longer one, containing an ID number of the victim. The payload of CryptoMix virus hides in random folders as a file that would not attract much attention. Some victims of this variant suggested that the ransomware being discussed hid as an update for Adobe Reader or Adobe Flash Player. The ransomware targets an impressive number of extensions: over a thousand. Besides the fact that it corrupts data, it is not that interesting to examine. It does not lock users’ screens, nor has anything that would instantly single it out from the crowd. Thankfully, IT specialists finally discovered a vulnerability in the CryptoMix virus. You have to click here and contact the necessary researchers. Then, you will be advised to send the encrypted data to them. If everything goes smoothly, decryption of files should not be an issue.

There is a possible way to decrypt files that were ruined by CryptoMix virus

We are sure that having your files encrypted is a nightmare that you wish to wake up from: this is not always possible. Fortunately, security researchers have been working on a decryptor for CryptoMix virus and are very close to a solution. If you happen to be infected with this sample of ransomware, you should not hesitate to contact people from this site. They will most likely give you information about methods that would help to decrypt the corrupted files. It might be that this solution does not have a 100% success rate, but we hope that at least the majority of files can be restored. Do you consider yourself a cautious person? Well, prove it by storing data in backup storages (there is number of them online). An alternative is to keep your files in other locations, like USB flash drivers.

What are the possible methods for distribution that CryptoMix virus can exploit for its own advantage?

CryptoMix crypto-ransomware is a real burden. Therefore, it is clear that people would not download this type of virus themselves. A more convincing scenario is that Internet users were tricked into allowing a payload of a virus into their systems. This might have happened if you received an infectious email letter in your inbox and opened it without realizing that it was actually sent by hackers, attempting to infect you with malware. If you notice that your inbox has received a quite unusual email, designed to inform you about an extremely relevant matter, you should check whether it is really originating from a reliable source. If an email is implying to be from a legitimate authority, then you are should check whether the sender’s email address is identical to the official one of that facility. Mots commonly, they differ. You might also get a ransomware virus from other places. For example, your device might be compromised do to the fact that you visited unreliable domains or interacted with random online advertisements.

We are certain that Reimage, Spyhunter or Malwarebytes will provide you with top-notch security and CryptoMix is going to be caught red-handed. In fact, all of the malware present in your device is going to be detected without any problems. Manual removal is a secondary option which should be selected only if you are comfortable with such a task.

Update of the 30th of January, 2017. This recent infection of CryptoMix has been noticed to feature a new extension: .rdmk.

Update of the 9th of April, 2017. Recently, CryptoMix began to append a new extension which is confusing for victims. Hefty extension .[payment_email].ID[VICTIM_16_CHAR_ID].WALLET is the one that the current variant exploits.

How to recover CryptoMix virus encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:


for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again. CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before CryptoMix ransomware has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of CryptFile2 ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Reimage and remove all malicious files related to CryptFile2 virus. You can check other tools here.


Step 3. Restore CryptoMix virus affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually CryptoMix ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so.

Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer.

a) Native Windows Previous Versions

Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.


Previous version
b) Shadow Explorer

It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover CryptFile2 ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download Data Recovery Pro (commercial)
  • Install and scan for recently deleted files. Data Recovery Pro

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

     
 

About the author

 - Main Editor
I have started 2-viruses.com in 2007 after wanting to be more or less independent from single security program maker. Since then, we kept working on this site to make internet better and safer place to use.
 
January 6, 2017 07:46, May 9, 2017 03:59
 
   
 

Leave a Reply

Your email address will not be published. Required fields are marked *