Home Technology News Today DetoxCrypto: Another Ransomware Riding the Pokemon GO Popula…

DetoxCrypto: Another Ransomware Riding the Pokemon GO Popula…

290

A new ransomware variant appeared on the malware scene called DetoxCrypto that has two active versions at the moment, with more likely to come in the near future.

Security researcher MalwareHunterTeam discovered the first version, which uses Pokemon imagery for the wallpaper shown on the user’s desktop.

The second DetoxCrypto version came the next day, and used a more generic ransom note, but also added the ability to take a screenshot of the user’s desktop when it was first run. Intel Security researcher Marc Rivero López discovered this version, called DetoxCrypto (Calipso version).

An analysis by Lawrence Abrams reveals that both versions are very similar. They infect victims via an EXE file which unpacks into four other files: the wallpaper image used for the user’s desktop, an audio file played in the background when the ransom note is displayed, a file named MicrosoftHost.exe which runs the actual file encryption process, and a second EXE file named Calipso.exe or Pokemon.exe that displays the ransom note inside self-standing window.

The ransomware doesn’t use a Tor-based website to handle payments but instead asks users to contact the crook(s) via email. Two different email addresses are used.

New RaaS service or just one busy ransomware developer?

Two theories can explain DetoxCrypto’s existence. First, the ransomware author is releasing new versions of his malware as he adds new features, testing different configurations.

This is highly unlikely because of the two very different modes of operation employed by the two versions, with one taking silent screenshots of the user’s desktop and reading out loud a threatening ransom note, while the other employing childish music.

The second theory is that there’s a new RaaS (Ransomware-as-a-Service) website that just opened. This second theory also explains why researchers have seen two versions with very different operational modes, but sharing a lot of internal code.

According to MalwareHunterTeam, this ransomware seems to be under development, and there’s no major distribution campaign pushing it to users.

Lawrence Abrams has videos of the two DetoxCrypto ransomware variants in actions.

DetoxCrypto: Calipso version ransom note

DetoxCrypto: Calipso version ransom note

Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here