Exte Ransomware

Posted: July 15, 2017

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	10/10
Infected PCs:	5

First Seen:	July 15, 2017
OS(es) Affected:	Windows

The Exte Ransomware is an update of the 'Azer' branch of Cryptmix Ransomware, which uses an AES algorithm to lock your files and secures the conversion with another layer of RSA encoding. Attacks of this type can block content perpetually unless you're able to restore them from an uninfected backup or find an appropriate decryption program. Because of the high level of file damage possible with this threat, malware experts recommend blocking the Exte Ransomware preemptively with anti-malware tools or removing it as soon as possible with the same.

Listening to the Latest Trojan Mix

Whether due to other parties hiring its services or the original authors being interested in long-term update cycles, the family of Cryptomix or the CryptMix Ransomware isn't done growing. The last major revision to this family that malware analysts are verifying is the Exte Ransomware, which, according to its encoding method, is a new variant of the Azer line. Most of the Exte Ransomware's changes are cosmetic, and the Trojan shows no indications of being any less efficient than usual at blocking file data for money.

In a routine that avoids symptoms that could alert the user, the Exte Ransomware uses an AES cipher to block different formats of data on the infected PC. Although this AES encoding routine could be vulnerable to decoding, the Trojan selects one of a small list of ten RSA keys to use for secondary encryption. This behavior is similar to Azer-based variants of the Cryptmix Ransomware and sharply different from that of MOLE Ransomware.

Differences in the Exte Ransomware's payload include:

The Exte Ransomware adds a new '.EXTE' extension onto the filenames of every file it locks.
The Exte Ransomware uses a different ransom note, both regarding its name and its contents. However, the threat actors are retaining the core instructions of similar campaigns, such as generating an ID for each attack and using dedicated e-mail addresses as the ransom negotiating channels for selling their file-unlocking decryptor.

Keeping the Cryptmix Ransomware's Youngster Off the Charts

Although any locked content uses the '.EXTE' extensions for flagging purposes, the rest of the name also is encoded, which can make identifying individual files difficult for the victim. While some members of the Exte Ransomware's family are open to decryption by third parties, this fact isn't applicable to all variants. Because there is always a possibility that the encryption is unbreakable, malware analysts advise that you make regular backups of your content to secure drives.

The Exte Ransomware first began being seen in the middle of July, and its infection vectors remain under examination. A PC can be compromised through multiple means, although threat actors using Trojans like the Exte Ransomware often prefer spam e-mails or browser-based exploits for installation purposes. Most anti-malware products should block and delete the Exte Ransomware at this stage although they also may quarantine or remove the Exte Ransomware after an attack.

While some aspects of the Exte Ransomware's ransoming infrastructure are updating, the Trojan's underlying code appears to be reliably profitable, for now. PC owners should do their best to limit those profits by backing up media of value and using safe Web-browsing habits at all times.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

file.exe

File name: file.exe
Size: 236.03 KB (236032 bytes)
MD5: 7d41a26f0d410d4303747c447ab76c3b
Detection count: 98
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: July 15, 2017

file.exe

File name: file.exe
Size: 219.64 KB (219648 bytes)
MD5: 1059676fbb9d811e88af96716cc1ffb5
Detection count: 96
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: July 15, 2017

%SystemDrive%\Users\<username>\AppData\Roaming\BC68316E6F.exe

File name: BC68316E6F.exe
Size: 223.74 KB (223744 bytes)
MD5: 025274c91248e3a278d2b37173e2bd76
Detection count: 32
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming
Group: Malware file
Last Updated: July 15, 2017

%SystemDrive%\Users\<username>\AppData\Roaming\BC1614C4DB.exe

File name: BC1614C4DB.exe
Size: 273.4 KB (273408 bytes)
MD5: a105b70a635f3aee7f6d020764c1ba92
Detection count: 21
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming
Group: Malware file
Last Updated: July 15, 2017