CryptFile2 Ransomware Obfuscates Infected Files’ Extension to Avoid Decryption

It appears a lot of existing ransomware strains are undergoing some much-needed upgrades as of late. The developers of CryptoMix variant CryptFile2 have introduced some noteworthy changes. All encrypted files will now receive a new file extension, which causes more problems for malware victims. After all, they can no longer easily identify which type of ransomware infected their system in the first place.

CryptFile2 Ransomware Strain makes Life More Difficult

As if victims of malware attacks do not have enough to worry about already, the people responsible for creating CryptFile2 decided to up the ante a bit. Most types of ransomware infections can be easily identified by looking at the encrypted file’s extension. However, the updated CryptoMix variant now removes the proprietary file extension and renames files to the “.wallet” extension. A rather surprising turn of events that will have major consequences.

As a result of this change, malware victims can no longer identify the type of ransomware harming their system. In a way, this should improve the chance of getting paid where criminals are concerned. However, it remains to be seen if the .wallet extension will trick more people into paying the ransom demand due to this change. Consumers are well aware of how paying the ransom is never the right answer.

However, one thing that may cause a problem is how multiple types of malware now use the .wallet extension. CryptFile2 is just one of the many variants to do so, as Dharma, Sanctions, and a few other types of malware use this extension as well. Moreover, one cannot go by the email address listed to communicate with the criminals either, as they show no hint of which malware type is involved.

Decrypting files with the .wallet extension is impossible at this stage, unfortunately. It does not matter which ransomware is responsible for the infection, as security engineers have not been able to create a free decryptor for any of the malware types using this extension right now. It is possible a free tool will be made available in the future, though, but for now, restoring data from a backup is the most viable course of action.

As one would come to expect these days, CryptFile2 spreads itself through many different ways. Unfortunately, there is no clear pattern to be detected, which makes it rather difficult for researchers to warn the public about this new threat. Spam emails, malicious Torrent downloads, and malicious links spread via social media are the most likely distribution methods at this stage, though.

What sets CryptFile2 apart from other types of ransomware is how it does not only encrypt specific file extensions. Instead, the malware goes after any file as long as they are not found within specifically whitelisted folders. The criminals will offer free decryption of up to five files to prove they actually control the decryption key for each individual victim. There is no fixed Bitcoin fee associated with decrypting files either, as it will all depend on when the victim contacts the developers.

If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.