Security Experts:

Connect with us

Hi, what are you looking for?



DetoxCrypto Ransomware Sends Screenshots to Operators

A new ransomware family was recently observed being distributed under two different variants, including one that takes screenshots of a victims’ computer and sends them to the operator’s servers.

A new ransomware family was recently observed being distributed under two different variants, including one that takes screenshots of a victims’ computer and sends them to the operator’s servers.

Dubbed DetoxCrypto, the new malware appears to be part of an affiliate system or might be sold through the Dark Web, given that different variants have already emerged, each using a different theme and email address and having different features. One of the observed variants acts like a generic ransomware (except for the screenshot uploading feature), while the other poses as a PokemonGo app.

All of the observed malware variants use AES encryption and can stop MySQL and MSSQL services on the infected machines, Bleeping Computer reports. Moreover, these variants display a ransom note/lock screen, while also playing an audio file while the lock screen is showing. The ransomware also instructs victims to contact the operators via an email address included in the lock screen to regain access to their files.

What researchers didn’t reveal as of now is how the ransomware is being distributed, but they say that a single distributed executable is used by all variants. This file contains other executables and components embedded within. When launched, the main executable extracts a MicrosoftHost.exe file, an audio file, a wallpaper background, and an executable named differently per variant.

MicrosoftHost.exe is used for encryption purposes and for stopping the processes of database servers on the victim’s computer. The malware does not append an extension to the encrypted files, but it will change the Windows desktop background to the image embedded in the main executable.

The second executable dropped by the malware can display a lock screen, play an audio file, and can decrypt the compromised files if the correct password is provided. This is the file that is dynamically changed between the ransomware’s variants, and researchers have observed two instances of it so far, namely Calipso.exe and Pokemon.exe.

The Calipso variant extracts numerous files in the C:Users[account_name]Calipso folder, after which it proceeds to encrypt the victim’s files. Once the encryption process has been completed, the malware displays a lock screen instructing the victim to contact the operator via the motox2016(at) email address to receive payment instructions.

A unique feature to this ransomware variant is the fact that it takes a screenshot of the active screen and uploads it to the developer when it is executed. Researchers believe that the ransomware’s operators could attempt to increase the price of the ransom if the screenshot contains blackmail worthy content.

The Pokemon themed variant, which is distributed as a file named Pokemongo.exe, extracts the files it needs to run in the C:Users[account_name]DownloadsPokemon folder. Next, the malware would encrypt the victim’s files, then would display a lock screen titled “We are all Pokemons.” 

Related: Lifetime License for Stampado Ransomware: $39

Related: Satana Ransomware Encrypts MBR and User Files

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...