Security Experts:

DetoxCrypto Ransomware Sends Screenshots to Operators

A new ransomware family was recently observed being distributed under two different variants, including one that takes screenshots of a victims’ computer and sends them to the operator’s servers.

Dubbed DetoxCrypto, the new malware appears to be part of an affiliate system or might be sold through the Dark Web, given that different variants have already emerged, each using a different theme and email address and having different features. One of the observed variants acts like a generic ransomware (except for the screenshot uploading feature), while the other poses as a PokemonGo app.

All of the observed malware variants use AES encryption and can stop MySQL and MSSQL services on the infected machines, Bleeping Computer reports. Moreover, these variants display a ransom note/lock screen, while also playing an audio file while the lock screen is showing. The ransomware also instructs victims to contact the operators via an email address included in the lock screen to regain access to their files.

What researchers didn’t reveal as of now is how the ransomware is being distributed, but they say that a single distributed executable is used by all variants. This file contains other executables and components embedded within. When launched, the main executable extracts a MicrosoftHost.exe file, an audio file, a wallpaper background, and an executable named differently per variant.

MicrosoftHost.exe is used for encryption purposes and for stopping the processes of database servers on the victim's computer. The malware does not append an extension to the encrypted files, but it will change the Windows desktop background to the image embedded in the main executable.

The second executable dropped by the malware can display a lock screen, play an audio file, and can decrypt the compromised files if the correct password is provided. This is the file that is dynamically changed between the ransomware’s variants, and researchers have observed two instances of it so far, namely Calipso.exe and Pokemon.exe.

The Calipso variant extracts numerous files in the C:\Users\[account_name]\Calipso folder, after which it proceeds to encrypt the victim's files. Once the encryption process has been completed, the malware displays a lock screen instructing the victim to contact the operator via the motox2016(at)mail2tor.com email address to receive payment instructions.

A unique feature to this ransomware variant is the fact that it takes a screenshot of the active screen and uploads it to the developer when it is executed. Researchers believe that the ransomware’s operators could attempt to increase the price of the ransom if the screenshot contains blackmail worthy content.

The Pokemon themed variant, which is distributed as a file named Pokemongo.exe, extracts the files it needs to run in the C:\Users\[account_name]\Downloads\Pokemon folder. Next, the malware would encrypt the victim's files, then would display a lock screen titled “We are all Pokemons.” 

Related: Lifetime License for Stampado Ransomware: $39

Related: Satana Ransomware Encrypts MBR and User Files

view counter