Infected with CryptoMix Ransomware? Need to decrypt your files?

What is CryptoMix Ransomware

CryptoMix Ransomware is famous family of ransom-demanding encryption viruses. It also known as Mole66 ransomware, Empty ransomware, Mole Ransomware, Lesli Ransomware, ZERO Ransomware. Recently it came up with updated version that modifies your files with random set of 32 letters and digits and .xzzx file extension. List of possible file extensions are:
.lesli
.rdmk
.MOLE
.CK
.ZERO
.DG
.code
.EMPTY
.BACKUP

So it makes your files look like this: 1V3DJHJ6M78BL3535RTY987XZFDGP876.XZZX. All versions uses complex double encryption with RSA-1024 ans AES algorithms. After encryption finishes CryptoMix Ransomware creates _HELP_INSTRUCTION.TXT file that contains contact e-mails and ransom-demanding message. Malefactors use following e-mails: xzzx@tuta.io, xzzx1@protonmail.com, xzzx10@yandex.com, and xzzx101@yandex.com, xoomx@dr.com, supl0@post.com, supl0@oath.com, supl@post.com, supl@oath.com, supls@post.com, supls@oath.com, ck01@techmail.info, ck02@decoymail.com, ck03@protonmail.com. Here are the contents of this file:

Hello!
Attention! All Your data was encrypted!
For specific information, please send us an email with Your ID number:
xzzx@tuta.io
xzzx1@protonmail.com
xzzx10@yandex.com
xzzx101@yandex.com
Please send email to all email addresses! We will help You as soon as possible!
DECRYPT-ID-[id] number

Another version of ransom notes:

NOT YOUR LANGUAGE? USE https://translate.google.com
What happened to your files?
All of your files were protected by a strong encryption with RSA-2048.
More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/rsa_(cryptosystem)
How did this happen ?
!!! Specially for your PC was generated personal RSAj-2048 key, both public and private.
!!! ALL YOUR files were encrypted with the public key, which has been transferred to your computer via the Internet.
!!! Decrypting of your files is only possible with tne help of the private key and decrypt program, which is on our Secret Server
What do I do ?
So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining bitcoin now! , and restore your data easy way.
If you have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.
For more specific instructions:
Contact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact you within 12 hours.
For you to be sure, that we can decrypt your files – you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee.
E-MAIL1: xoomx@dr.com
E-MAIL2: xoomx@usa.com
YOUR_ID: ********

May’2018 update

Hello!

Attention! All Your data was encrypted!

For specific informartion, please send us an email with Your ID number:

backuppc@tuta.io

backuppc@protonmail.com

backuppc1@protonmail.com

b4ckuppc1@yandex.com

b4ckuppc2@yandex.com

backuppc1@dr.com

Please send email to all email addresses! We will help You as soon as possible!

IMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!

DECRYPT-ID-[id] number

Virus also runs commands to stop main Windows security services (such as Windows Defender), disables recovery options and removes shadow copies. Current amount of ransom payment is unknown, but usually it varies between $300 and $1000, and have to be paid in BitCoins. Please, follow the guide below to remove CryptoMix Ransomware and restore .xzzx files in Windows 10, Windows 8, Windows 7.

cryptomix ransomware

Update: Use following service to identify the version and type of ransomware you were attacked by: ID Ransomware. Also check following website for possible decryptor: Emsisoft Decryptors.

How CryptoMix Ransomware infected your PC

CryptoMix Ransomware can infect your PC through unprotected RDP configuration, infected attachments to spam e-mails, exploits, web-injections, fake software updates. You can also get this ransomware on file sharing networks, including torrent files. Ransom is asked to be paid in BitCoins, that also makes the task difficult for the police, as user in this network are often anonymous. Encryption starts in the background. Way to protect your computer from such threats is to use antiviruses with crypto-protection like HitmanPro.Alert with CryptoGuard.

First of all don’t panic. Follow these easy steps below.

1. Start your computer in Safe Mode with networking. To do that, restart your computer, before your system starts hit F8 several times. This will stop system from loading and will show Advanced boot options screen. Choose Safe mode with networking option from the options list using up and down arrows on your keyboard and hit Enter.
2. Log in to the system infected with the CryptoMix Ransomware virus. Launch your Internet browser and download a reliable anti-malware program and start a full system scan. Once the scan is complete, review scan results and remove all entries detected.

Recommended Solution:

Norton is a powerful removal tool. It can remove all instances of newest viruses, similar to CryptoMix Ransomware – files, folders, registry keys.

 

Download Norton*Trial version of Norton provides detection of computer viruses for FREE. To remove malware, you have to purchase the full version of Norton.

Step 2: Remove following files and folders of CryptoMix Ransomware:

Remove following registry entries:

no information

Remove following files:

_HELP_INSTRUCTION.TXT

How to decrypt files infected by CryptoMix Ransomware (.xzzx files)?

Use automated decryption tools

kaspersky rakhni decryptor for CryptoMix Ransomware

There is ransomware decryptor from Kaspersky that can decrypt .xzzx files. It is free and may help you restore .xzzx files encrypted by CryptoMix Ransomware virus. Download it here:

Download Kaspersky RakhniDecryptor

Alternative tool for CryptoMix decryption

Cryptomix Decryption tool

Alternative tool for Mole decryption

Mole Decryption tool

You can also try to use manual methods to restore and decrypt .xzzx files.

Decrypt your files manually

Restore the system using System Restore

system restore

Although, latest versions of CryptoMix Ransomware remove system restore files, this method may help you partially restore your files. Give it a try and use standard System Restore to revive your data.

  1. Initiate the search for ‘system restore
  2. Click on the result
  3. Choose the date before the infection appearance
  4. Follow the on-screen instructions

Roll the files back to the previous version

Previous versions can be copies of files and folders created by Windows Backup (if it is active) or copies of files and folders created by System Restore. You can use this feature to restore files and folders that you accidentally modified or deleted, or that were damaged (in our case – CryptoMix Ransomware by CryptoMix Ransomware). This feature is available in Windows 7 and later versions.

windows previous versions

  1. Right-click the file and choose Properties
  2. Open the Previous Version tab
  3. Select the latest version and click Copy
  4. Click Restore

Restore .xzzx files using shadow copies

stellar-data-recovery

  1. Download and run Stellar Data Recovery.
  2. Select type of files you want to restore and click Next.
  3. Select the drive and folder where your files are located and date that you want to restore them from and press Scan.
  4. Once the scanning process is done, click Recover to restore your files.

Protect your files from ransomware

Most modern software can protect your data from ransomware and crypto-trojans, but thousands of people still get infected. There are several programs that use different approach to protect your files from ransomware and lockers. One of the best is SOS Online Backup. The product will automatically find important files, then simply make a daily backup on the remote server. SOS runs quietly and automatically in the background and supports any size and any file type. All SOS apps (desktop AND mobile) encrypt files using UltraSafe 256-bit AES before transferring them to the cloud. You will not lose your important data. Download One Year Plan.

SOS Online Backup

Information provided by: Alexey Abalmasov

Leave a Reply

Your email address will not be published. Required fields are marked *