From 1cb62212cae720b3c157c50d2010d0df924cd0b2 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Wed, 22 Nov 2017 13:46:50 +0100
Subject: [PATCH] cryptomix - update

---
 clusters/ransomware.json | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/clusters/ransomware.json b/clusters/ransomware.json
index ac17a71..6028704 100644
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@@ -5020,7 +5020,8 @@
           ".email[supl0@post.com]id[\\[[a-z0-9]{16}\\]].lesli",
           "*filename*.email[*email*]_id[*id*].rdmk",
           ".EMPTY",
-          ".0000"
+          ".0000",
+          ".XZZX"
         ],
         "ransomnotes": [
           "HELP_YOUR_FILES.html (CryptXXX)",
@@ -5030,14 +5031,16 @@
           "_HELP_INSTRUCTION.TXT",
           "C:\\ProgramData\\[random].exe",
           "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nempty01@techmail.info\n\nempty02@yahooweb.co\n\nempty003@protonmail.com\n\nWe will help You as soon as possible!\n\nDECRYPT-ID-[id] number",
-          "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\ny0000@tuta.io\n\ny0000@protonmail.com\n\ny0000z@yandex.com\n\ny0000s@yandex.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nDECRYPT-ID-[id]"
+          "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\ny0000@tuta.io\n\ny0000@protonmail.com\n\ny0000z@yandex.com\n\ny0000s@yandex.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nDECRYPT-ID-[id]",
+          "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nxzzx@tuta.io\n\nxzzx1@protonmail.com\n\nxzzx10@yandex.com\n\nxzzx101@yandex.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nDECRYPT-ID-[id] number"
         ],
         "refs": [
           "http://www.nyxbone.com/malware/CryptoMix.html",
           "https://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/",
           "https://twitter.com/JakubKroustek/status/804009831518572544",
           "https://www.bleepingcomputer.com/news/security/new-empty-cryptomix-ransomware-variant-released/",
-          "https://www.bleepingcomputer.com/news/security/0000-cryptomix-ransomware-variant-released/"
+          "https://www.bleepingcomputer.com/news/security/0000-cryptomix-ransomware-variant-released/",
+          "https://www.bleepingcomputer.com/news/security/xzzx-cryptomix-ransomware-variant-released/"
         ]
       }
     },