Mystic Ransomware
Posted: September 15, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 10/10 |
|---|---|
| Infected PCs: | 57 |
| First Seen: | September 15, 2017 |
|---|---|
| OS(es) Affected: | Windows |
The Mystic Ransomware is a file-locking Trojan that blocks content, such as pictures, by encrypting them. While threat actors use these attacks for promoting their premium decryption services, malware experts often find such solutions unreliable and recommend using any free recovery options that are available. Anti-malware applications may block this threat's infection vectors, such as email spamming campaigns, as well as delete the Mystic Ransomware after it compromises your PC.
A not Too Mystical Attempt to Take over Your File System
The Crypt888 Ransomware family, seen active throughout spring and summer of 2017, is not nearly as active as more widely-abused Trojan resources like Hidden Tear or the Globe Ransomware. However, it does see periodic new members, such as the Zuahahhah Ransomware, the GrodexCrypt Ransomware, and the latest variant, the Mystic Ransomware. While some details of its payload imply that the author has yet to finish developing it, the Mystic Ransomware can leverage full data-encrypting attacks, along with a more limited, backdoor connection.
The Mystic Ransomware's author is configuring the Trojan to target any files on the user's desktop, although future modifications could attack other locations, such as the Downloads or Documents folders. The Mystic Ransomware encrypts media by formats such as PNG and JPG, to block other programs from opening it. Unlike most file-locking Trojans, malware experts can find no associated renaming or name-editing feature with the Mystic Ransomware's encryption attack, meaning that the victim may have issues identifying all of the files that the Trojan is locking.
However, the Mystic Ransomware does provide a list of all blocked media in its Notepad-formatted ransom message, which it generates on the desktop. The note offers five days to pay just over one Bitcoin (280 USD) to purchase a supposedly automated decryption process for unlocking your files.
The Mystic Ransomware also initiates a RASMAN-based remote connection that it uses to communicate with an advertising tracking server currently. Future iterations could modify the feature for letting the threat actor gain control over the PC, although malware experts note that many, similar threats only use such functions for uploading ransoming transaction information, along with the decryption code.
Dispelling a Simple Encryption Attack's Air of Mysticism
Decryption software is available for the Crypt888 Ransomware family for free. Victims may test the compatibility of copies of their blocked media with this software or contact experienced cyber security researchers for any additional assistance needed as a substitute for paying the threat actor's ransom fee. Backing up any important work or media regularly also can give PC users recovery choices that don't need a decryption key that isn't available with every file-locking Trojan whose attacks are similar to those of the Mystic Ransomware.
The Mystic Ransomware is a Windows program with distribution methods estimated as exploiting spam emails. These spammed messages may disguise themselves as workplace notifications or communications from businesses such as a package delivery service. While most anti-malware products should block and remove the Mystic Ransomware by default, malware experts do note that the Trojan often is flagged as a backdoor Trojan incorrectly, due to its network connectivity feature.
Although the Mystic Ransomware is a half-developed Trojan, its embryonic payload is already fully encryption-capable. Any media worth paying ransoms to save are also worth expending a little time to back up to somewhere safe, such as a cloud service.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.