Ransomware Research

CryptoMix Ransomware

CryptoMix is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on April 1, 2016, this ransomware has been actively targeting systems worldwide.

Quick Facts

Ransomware Family
CryptoMix
First Seen
April 1, 2016

How CryptoMix Ransomware Works

Targeted Files

https://www.hybrid-analysis.com/sample/142596b9598a76768e497ed807a0e0ac4455048175b313d0f5c9480408943238?environmentId=100 Full extension -> .email[supls@post.com]_id[38f1c63f241f].rdmk

File Encryption Patterns

CryptoMix modifies encrypted files using specific patterns to mark them as encrypted:

File extensions added after encryption:

..code..lesli..rdmk..CK..ZERO..DG..MOLE..MOLE00..MOLE01..MOLE02..MOLE03..MOLE66..CNC

Ransom Note and Payment Demands

After encrypting files, CryptoMix displays ransom notes demanding payment for file recovery:

file_HELP_INSTRUCTIONS_.TXT

Ransom message:

notes/_HELP_INSTRUCTIONS_.TXT

Note locations:

EveryFolder
fileINSTRUCTION RESTORE FILE.TXT

Ransom message:

notes/INSTRUCTION RESTORE FILE.TXT

Note locations:

EveryFolder
fileINSTRUCTION_FOR_HELPING_FILE_RECOVERY.TXT

Ransom message:

notes/INSTRUCTION RESTORE FILE.TXT

Note locations:

EveryFolder
file_HELP_INSTRUCTION.TXT

Ransom message:

notes/_HELP_INSTRUCTION.TXT

Note locations:

EveryFolder

Technical Indicators

Associated Executable Files

The following executable files are associated with CryptoMix ransomware:

  • CTARX.exe
  • AdobeFlashPlayer_5bfd178c5dfcb0db.exe
  • adobeflashplayer_d460ffbf1c9b74e8.exe
  • AdobeFlashPlayer_58fc97331c9b74ea.exe
  • AdobeFlashPlayer_6e166b785dfcb0db.exe
  • HydraCrypt
  • myfile.exe
  • Backup Instruction.exe
  • 353E.tmp
  • Microsoft Decode Ransomware
  • radEF352.tmp.exe
  • MS SecurityFiles.
  • Spy Security SoftWare_5dfcb0db_9dd17731.exe
  • Security SoftWare Shield
  • Microsoft Decryptor Ransomware.exe
  • build_2017-07-26_18-48.exe
  • BC1CFBB99D.exe
  • dumpedzero
  • Labs.exe
  • BC1C9B74EA.exe
  • RacePostings
  • MS SecurityFiles.exe
  • a.exe
  • pluginoffice.exe
  • mole.exe

Elastio Can Help You

Don't let CryptoMix ransomware take over your data

Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.

About This Analysis

This CryptoMix ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like CryptoMix.

Last updated: July 30, 2025

CryptoMix Ransomware - Detectable by Elastio