DetoxCrypto

 

DetoxCrypto targets Windows OS and is distributed as an executable file that contains other files and executables. There are currently two versions of this variant, although security researchers expect more versions to emerge as indications point to a possible Ransomware-as-a-Service (RaaS) affiliate program. One version launches from an executable named Pokemongo.exe and has a Pokémon-themed ransom note. Another version, dubbed Calipso, launches from an executable named calipso.exe and displays an image of a computer locked in chains with a stack of coins, along with generic ransom note text. The executables for DetoxCrypto reside within the main distribution executable, along with an audio file, a wallpaper image file, and a file named MicrosoftHost.exe that performs the encryption process. Neither version appends any extension to encrypted file names. Calipso stands apart from other variants because it takes a screen capture of the victim’s infected machine and uploads it to the attacker. The ransom payment amount is currently unknown.

UPDATE 8/26/2016: A new version, named Serpico and written in Serbsko-Croatia, was discovered.

UPDATE 9/1/2016: A new version, dubbed Nullbyte, masquerades as the NecroBot Pokémon Go application and is distributed through a Github application. After installation, Nullbyte displays the standard NecroBot interface prompting the victim to login and then steals any credentials entered into the form. After the credentials are sent to its C2 server, Nullbyte begins encrypting files using AES encryption and appending _nullbyte to the file names. It also terminates the following processes to hinder removal of the infection or prevent the victim from searching online for help: chrome, cmd, taskmgr, firefox, iexplore, and opera. Lastly, Nullbyte takes a screenshot of victim’s active screen and uploads it to its C2 server before displaying a lock screen and asking for a ransom payment of 0.1 Bitcoin.

UPDATE 9/16/2016: A new version tries to fool users by imitating the antivirus software, Malwarebytes, by arriving in an executable file named Malwerbyte.exe.

  • Bleeping Computer provides more information about DetoxCrypto here.
     
  • Bleeping Computer provides a free decryption tool for the Nullbyte version of DetoxCrypto here.
     
  • The NJCCIC is currently not aware of any decryption tools available for the other versions of DetoxCrypto.