14 DAY TRIAL // A new ransomware variant appeared on the malware scene: it's called DetoxCrypto that has two active versions at the moment, with more likely to come in the near future.
Security researcher MalwareHunterTeam discovered the first version, which uses Pokemon imagery for the wallpaper shown on the user's desktop.
The second DetoxCrypto version came the following day and used a more generic ransom note, but also added the ability to take a screenshot of the user's desktop when it was first run. Intel Security researcher Marc Rivero López stumbled upon this version, called DetoxCrypto (Calipso version).
An analysis conducted by Lawrence Abrams reveals that both versions are very similar. They infect victims via an EXE file, which unpacks into four other files: the wallpaper image used for the user's desktop, an audio file played in the background when the ransom note is displayed, a file named MicrosoftHost.exe that runs the actual file encryption process, and a second EXE file dubbed Calipso.exe or Pokemon.exe that shows the ransom note inside a self-standing window.
The ransomware doesn't use a TOR-based website to handle payments but instead asks users to contact the crook(s) via email. Two different email addresses are used.
New RaaS service or just one busy ransomware developer?
Two theories can explain DetoxCrypto's existence. First, the ransomware author is releasing new versions of his malware as he adds new features, testing different configurations.
This is highly unlikely because of the two very different modes of operation employed by the two versions, with one taking silent screenshots of the user's desktop and reading out loud a threatening ransom note and the other using childish music.
The second theory is that there's a new RaaS (Ransomware-as-a-Service) website that has just opened. This second theory also explains why researchers have seen two versions with very different operational modes, but sharing a lot of internal code.
According to MalwareHunterTeam, this ransomware seems to be under development, and there's no major distribution campaign pushing it to users.
Lawrence Abrams has videos of the two DetoxCrypto ransomware variants in actions.
