CryptoMix: Avast adds a new free decryption tool to its collection

Jakub Křoustek 21 Feb 2017

Avast now provides a decryption tool for ransomware CryptoMix (offline only)

In cooperation with researchers from CERT.PL, we are happy to announce the release of another decryptor tool, for the ransomware,CryptoMix. CryptoMix has multiple aliases, including CryptFile2, Zeta, or the most recent alias CryptoShield.

Please note: a successful decryption is not always possible. See a description of the limitations below.

CryptoMix is a ransomware strain that was first spotted in March 2016. In early 2017, its author(s) renamed CryptoMix to CryptoShield. The spread of this ransomware could be described as a medium level of prevalence and has been steady since its discovery. It uses exploit kits (RIG at the moment) as its main delivery method.

Once CryptoMix infects a machine, it tries to communicate with its Command and Control (C&C)  server to establish a key to encrypt  files (the AES-256 algorithm is used). However, if the server is not available or if there is a connection issue (e.g. blocked communication by a firewall), the ransomware will encrypt files with one of its fixed keys, or “offline key”.

Our decryption tool for CryptoMix can decrypt files that were encrypted using the “offline key”. In cases where the offline key was not used to encrypt files, our tool will be unable to restore the files and will not modify any files.

You can distinguish CryptoMix by its new file extensions added to the original file names: .CRYPTOSHIELD, .scl, .rscl, .lesli, .rdmk, .code, or .rmd. Furthermore, the ransom notes are located in files with the names HELP_DECRYPT_YOUR_FILES.HTML, # RESTORING FILES #.TXT, etc.



CryptoMix is a nasty ransomware strain that has been spreading for a while. Its code quality is pretty low compared to its competitors and it even contains flaws that may cause your files to become undecryptable. You can easily find online complaints left by victims that paid the ridiculous amounts of extortion (5-10 bitcoins ~ $5,000-$10,000) and that were left without decrypted files. This might be the reason why its authors are changing the name so often - would you even consider paying someone with such a negative reputation?

As always we advise you to not pay the ransom! There’s always a chance that your files can be decrypted, for free, in future. The decryption tool released by us today, might be hope for at least some affected by CryptoMix.

How to protect yourself from ransomware

  • Make sure you have antivirus, like Avast, installed on all of your devices. Antivirus will act like a safety net and block ransomware before it can cause any damage, in case you accidentally try to download it.
  • Be smart and alert. Ransomware distributors often use social engineering tactics to trick people into downloading the ransomware. Be careful which links and attachments you open and what you download on the web. Make sure you verify the source of emails including links and attachments and only download software and visit trusted sites.
  • Backup your data properly on a regular basis. Be sure to not keep your backups connected to your devices all the time, otherwise, your backups could be held ransom as well.

If you do become infected with ransomware, make sure to check out our free ransomware decryptor tools to see if we can help you get your files back!


We would like to thank the researchers from CERT.PL for their detailed analysis of CryptoMix and for the set of offline keys they provided us, to supplement our list. Furthermore, a special thanks also goes to my colleague Ladislav Zezula for preparing this decryptor.




















--> -->