Beware of 0000 Ransomware! A new variant of CryptoMix Ransomware has been released

CryptoMix Ransomware is not a new malicious application for sure. It has been active for a while now, and researchers working in the cybersecurity department are well aware of the fact that it comes in several different variants. From the technical standpoint, they do not differ much from each other, but they append different extensions to users’ files after encrypting them. For example, you might find .ogonia, .zero, .exte, .zayka, .wallet, .azer, .mole02, .mole, or .xzzx filename extension appended to your files depending on the version of CryptoMix Ransomware you encounter. Of course, it is not a full list. Malware researchers have recently come across a new variant of this ransomware infection. It has been given the name 0000 Ransomware because it appends the .0000 extension to those files it affects. If you have found your files marked by it, it means that this ransomware infection has infiltrated your computer successfully. Actually, it does not really matter which version of CryptoMix Ransomware you encounter because you will find your files locked in all the cases. What makes these CryptoMix threats different from other crypto-threats is the fact that they do not demand a ransom from users right away. Instead, victims are instructed to write an email “for specific information.”

The newest version of CryptoMix Ransomware – 0000 Ransomware – does not differ much from those released previously. Only minor differences between them are visible. While all CryptoMix versions encrypt files they find stored on compromised machines using the same encryption method and drop the ransom note on affected computers, email addresses they leave for users differ with every version. For example, victims might find exte1@msgden.net, admin1@zayka.pro, xoomx@dr.com, admin@hoist.desi, shield@usa.com, TankPolice@aolonline.top, and other emails inside ransom notes left for them. As for 0000 Ransomware, it provides users with four different emails: y0000@tuta.io, y0000@protonmail.com, y0000z@yandex.com, and y0000s@yandex.com. Victims need to send an email with the unique ID (it is indicated at the bottom of the ransom note) to any of the email addresses provided to get further information. Variants of CryptoMix Ransomware tend not to include any information about the ransom in their ransom notes, but there is basically no doubt that users who contact cyber criminals by any of the provided email addresses will get payment details. That is, they will be told that they can only decrypt their files with special software that can be purchased from them, and, additionally, they will get instructions explaining how to make a payment. Is it worth paying a ransom? Certainly not! You have no guarantees that cyber criminals will kindly share the decryption tool with you when they receive your money. To put it differently, sending money to them does not guarantee that you could get your files back.

The presence of different emails in the ransom note is not the only thing that distinguishes 0000 Ransomware from other CryptoMix variants. Another noticeable difference is the extension it appends to files it encrypts. As mentioned in the first paragraph of this article, your pictures, documents, videos, and other files will get the .0000 extension appended to them. Additionally, their original names will be changed to 32 random characters, for example, picture.jpg might become 0AE2C47210495B46345CAE8D130F3F8E.0000 following the entrance of this ransomware infection.

All CryptoMix Ransomware variants are distributed similarly. Researchers say that there are several different distribution methods used. First, these infections might be spread via exploit kits, they say. Second, they might be distributed as malicious attachments in spam emails. These attachments might be made to look like invoices or other important documents to trick users. Last but not least, it might infiltrate computers immediately after users click on malicious links scattered over the web or pay a visit to hacked domains. Ransomware infections belong to the group of serious malware, so we have several recommendations for you to help you to avoid new crypto-malware. First, do not open email attachments, especially if they are located inside spam emails and/or you do not know who has sent them to you. Second, make sure your Windows OS is up-to-date. Third, enable security software on your computer. Finally, back up your files periodically so that you would not lose them again in case of the entrance of new malware.

If you have already encountered 0000 Ransomware, there is one thing we want to be honest with you about – the chances are high that you could not decrypt those affected files for free because free decryption software is not available. Of course, it does not mean that the ransomware infection can stay on your system. We have provided the step-by-step instructions (see below) to help you disable this infection. You cannot keep it active because it starts working on system startup, meaning that it will encrypt new files with every launch.

How to remove 0000 Ransomware

1. Press Win+R on your keyboard.
2. Insert regedit.exe and click OK.
3. Open HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
4. Locate the Value representing 0000 Ransomware, right-click it, and select Delete.
5. Delete the Value from the same registry key (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run).
6. Go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce.
7. Select the *BC0EBCF2F2 Value and delete it.
8. Close Registry Editor.
9. Tap Win+E.
10. Delete BC0EBCF2F2.exe from %ALLUSERSPROFILE% and %ALLUSERSPROFILE%\Application Data directories.
11. Delete all suspicious recently downloaded files (they should be located in %USERPROFILE%\Desktop or %USERPROFILE%\Downloads).
12. Empty Recycle bin.

References:

1. Pierluigi Paganini. A second variant of the new Cryptomix Ransomware released in a few days. http://securityaffairs.co/wordpress/65716/malware/cryptomix-ransomware-2.html
2. Quick Heal Security Labs. Cryptomix Ransomware with multiple variants. http://blogs.quickheal.com/cryptomix-ransomware-resurfaces-multiple-variants/
3. Alviera Twist. How to Remove 0000 Ransomware and restore .0000 extension files. http://totalsystemsecurity.com/tag/how-i-remove-0000-ransomware-without-paying-ransom/
4. Pixabay. https://pixabay.com/en/ransomware-cyber-crime-malware-2320941/