A new ransomware family was recently observed being distributed under two different variants, including one that takes screenshots of a victims’ computer and sends them to the operator’s servers.
Dubbed DetoxCrypto, the new malware appears to be part of an affiliate system or might be sold through the Dark Web, given that different variants have already emerged, each using a different theme and email address and having different features. One of the observed variants acts like a generic ransomware (except for the screenshot uploading feature), while the other poses as a PokemonGo app.
All of the observed malware variants use AES encryption and can stop MySQL and MSSQL services on the infected machines, Bleeping Computer reports. Moreover, these variants display a ransom note/lock screen, while also playing an audio file while the lock screen is showing. The ransomware also instructs victims to contact the operators via an email address included in the lock screen to regain access to their files.
What researchers didn’t reveal as of now is how the ransomware is being distributed, but they say that a single distributed executable is used by all variants. This file contains other executables and components embedded within. When launched, the main executable extracts a MicrosoftHost.exe file, an audio file, a wallpaper background, and an executable named differently per variant.
MicrosoftHost.exe is used for encryption purposes and for stopping the processes of database servers on the victim’s computer. The malware does not append an extension to the encrypted files, but it will change the Windows desktop background to the image embedded in the main executable.
The second executable dropped by the malware can display a lock screen, play an audio file, and can decrypt the compromised files if the correct password is provided. This is the file that is dynamically changed between the ransomware’s variants, and researchers have observed two instances of it so far, namely Calipso.exe and Pokemon.exe.
The Calipso variant extracts numerous files in the C:Users[account_name]Calipso folder, after which it proceeds to encrypt the victim’s files. Once the encryption process has been completed, the malware displays a lock screen instructing the victim to contact the operator via the motox2016(at)mail2tor.com email address to receive payment instructions.
A unique feature to this ransomware variant is the fact that it takes a screenshot of the active screen and uploads it to the developer when it is executed. Researchers believe that the ransomware’s operators could attempt to increase the price of the ransom if the screenshot contains blackmail worthy content.
The Pokemon themed variant, which is distributed as a file named Pokemongo.exe, extracts the files it needs to run in the C:Users[account_name]DownloadsPokemon folder. Next, the malware would encrypt the victim’s files, then would display a lock screen titled “We are all Pokemons.”
Related: Lifetime License for Stampado Ransomware: $39
More from SecurityWeek News
- Threat Hunting Summit Virtual Event NOW LIVE
- Video: ESG – CISO’s Guide to an Emerging Risk Cornerstone
- Threat Modeling Firm IriusRisk Raises $29 Million
- SentinelOne Announces $100 Million Venture Fund
- Today: 2022 CISO Forum Virtual Event
- Cymulate Closes $70M Series D Funding Round
- SecurityWeek to Host CISO Forum Virtually September 13-14, 2022: Registration is Open
- Privilege Escalation Flaw Haunts VMware Tools
Latest News
- Anti-Bot Software Firm DataDome Banks $42M Financing
- Unpatched Security Flaws Expose Water Pump Controllers to Remote Hacker Attacks
- 500k Impacted by Data Breach at Debt Buyer NCB
- Chinese Cyberspies Use ‘Melofee’ Linux Malware for Stealthy Attacks
- Why Endpoint Resilience Matters
- Microsoft Cloud Vulnerability Led to Bing Search Hijacking, Exposure of Office 365 Data
- 3CX Confirms Supply Chain Attack as Researchers Uncover Mac Component
- UK Introduces Mass Surveillance With Online Safety Bill
