CryptoMix Ransomware Exploits Child Cancer Crowdfunding

An obscure type of Ransomware has recently resurfaced and is using a vial tactic to coerce victims to pay.  In ransom notes and correspondence with victims, CryptoMix hackers are claiming that ransom payments will be donated to a fictitious children’s charity. The ransom notes go so far as to include the names, diagnosis, and even pictures of young children that the ransom payments will support.  The information appears to be lifted from crowdfunding websites and local news stories that raised genuine awareness and funds for a specific child’s treatment.

What is CryptoMix Ransomware?

CryptoMix is not a widely distributed type of Ransomware like GandCrab or Dharma.  Avast released a free decryption tool for versions of CryptoMix (where the encryption occurred while the victim’s machine is offline).  Additionally, security firm CERT.pl found cryptographic flaws in the ransomware that enabled them to build decryption tools if supplied encrypted & un-encrypted sample files. CryptoMix hackers had suggested ransom proceeds would benefit charity before, but the extent to which they are now exploiting the stories of real children is unprecedented, and particularly vial.

CryptoMix Ransom Notes Exploit Real Child Health Stories

In recent cases Coveware observed ransom notes and communications that referenced a fictitious charity but real children.  The ransom communications begin with a .txt file that provides email addresses that the victim may use to contact the ransomware distributor.

In email exchange below the hacker claims to work for a fictitious charity, and then further names the child, diagnosis and funding amount being raised. Disturbingly, the email contained an image of what appears to be a 3 year old girl lifted off a crowdfunding site. We have redacted these images from this post.  

Using the details provided in these correspondences, we identified legitimate crowdfunding pages for the children whose images matched those in the ransom notes. We also notified the families of the children whose images could be positively identified.  Despite the upsetting nature of the news, we felt that the families had a right to know.

Ransom Payment Information Displayed on OneTimeSecret Pages

The extortion correspondence continues after the hacker directs the victim to view payment information with instructions on a OneTimeSecret page. The page includes bitcoin wallet payment instructions and more detail on the fictitious charity.

We are guessing this tactic is meant to assuage the moral hazard associated with paying a ransom.  It goes without saying that these cyber criminals did think this through. It is poignantly obvious that the charity is fake, and that the details of the child's case are lifted from other sites.

After paying the ransom, a victim is given more detail about the charity, going so far as to say that their own name will be used to recognize their donation.

If you have been attacked by CryptoMix, we encourage you to first try Avast’s decryption tool and to also reach out to CERT.PL for assistance. Contemplating paying the ransom should be the the last resort. If you need assistance with Cryptomix, or other types of ransomware, please reach out to us.