Jump to content

Recommended Posts

Posted

DetoxCrypto comes in 2 variants: Pokemon-themed and Calipso

 

f456528b03625195b2332ed5cdc7c84e.jpg

 

A new ransomware variant appeared on the malware scene: it's called DetoxCrypto that has two active versions at the moment, with more likely to come in the near future.

 

Security researcher MalwareHunterTeam discovered the first version, which uses Pokemon imagery for the wallpaper shown on the user's desktop.

 

The second DetoxCrypto version came the following day and used a more generic ransom note, but also added the ability to take a screenshot of the user's desktop when it was first run.

Intel Security researcher Marc Rivero López stumbled upon this version, called DetoxCrypto (Calipso version).

 

An analysis conducted by Lawrence Abrams reveals that both versions are very similar.

They infect victims via an EXE file, which unpacks into four other files: the wallpaper image used for the user's desktop, an audio file played in the background when the ransom note is displayed, a file named MicrosoftHost.exe that runs the actual file encryption process, and a second EXE file dubbed Calipso.exe or Pokemon.exe that shows the ransom note inside a self-standing window.

 

The ransomware doesn't use a Tor-based website to handle payments but instead asks users to contact the crook(s) via email.

Two different email addresses are used.

 

New RaaS service or just one busy ransomware developer?

 

Two theories can explain DetoxCrypto's existence.

First, the ransomware author is releasing new versions of his malware as he adds new features, testing different configurations.

 

This is highly unlikely because of the two very different modes of operation employed by the two versions, with one taking silent screenshots of the user's desktop and reading out loud a threatening ransom note and the other using childish music.

 

The second theory is that there's a new RaaS (Ransomware-as-a-Service) website that has just opened.

This second theory also explains why researchers have seen two versions with very different operational modes, but sharing a lot of internal code.

 

According to MalwareHunterTeam, this ransomware seems to be under development, and there's no major distribution campaign pushing it to users.

 

Lawrence Abrams has videos of the two DetoxCrypto ransomware variants in actions.

 

e7effdde4e4f70c1348dc6203cd40e24.jpg

DetoxCrypto: Calipso version ransom note

 

 

Source:

http://news.softpedia.com/news/detoxcrypto-another-ransomware-riding-the-pokemon-go-popularity-wave-507501.shtml

76c90dd0e79a714317a8daeecc1584d2.png

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...