DetoxCrypto ransomware-as-a-service rears its ugly head

Different variants. Different themes. Different emails. But similar code. Hmm…

Pokemon ransom

DetoxCrypto ransomware is raising suspicions that a new ransomware-as-a-service (RaaS) affiliate program might be in the works.

First detected by MalwareHunterTeam, the ransomware comes with a single executable that loads other executables and files. Those include Microsoft.exe, which performs the encryption process; a wallpaper background; an audio file; and another executable whose name varies based upon the variant.

Computer security expert Lawrence Abrams of Bleeping Computer explains, for instance, that the Calipso variant of DetoxCrypto comes with Calipso.exe. The executable locks the screen, plays the audio file, and displays a ransom message that asks the victim to email the attackers at motox2016@mail2tor.com for payment instructions.

That's not all this variant can do, either. As Abrams observes:

"When this ransomware is executed, it will also take a screenshot of the active screen and upload it to the developer.

"It is possible that based on what is contained in the screenshot, the ransomware developer may try to increase the price of the ransom if the image contains blackmail worthy content."

In the meantime, a second variant of DetoxCrypto takes a page from another recent ransomware discovery and adopts a Pokémon theme.

Its executable Pokemongo.exe is responsible for locking the screen, playing the audio file, and displaying the ransom message, which directs victims to contact contact365@mail2tor.com for the attackers' Bitcoin wallet.

These two variants of DetoxCrypto have Abrams thinking a new RaaS program might be in the works:

"This ransomware appears to be either part of an affiliate system or being sold on darkweb sites as we are seeing different variants, with different themes, email addresses, and features."

Admittedly, it's still hard to tell just what's going on. MalwareHunterTeam told Softpedia the ransomware is still under development and has not launched a large distribution campaign yet. But it could very well do so soon, a move which might offer insight into its true intentions.

Users can protect themselves against both variants of DetoxCrypto by exercising caution around suspicious links and email attachments, keeping their systems up-to-date, maintaining secure backups, and installing an anti-virus solution onto their computers.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

No comments yet.

Leave a Reply