Researchers have noticed a new strain of ransomware, named DetoxCrypto, which currently comes in two different versions. However, chances are high that more variants are about to appear very soon.
The first version was detected by the security researcher MalwareHunterTeam. It is another piece based on the extremely popular game – Pokemon Go and uses a Pokemon-themed wallpapers to display on the victim`s desktop.
The second variant was noticed the next day by Marc Rivero López, an Intel Security researcher. It is called Calipso and, unlike the other version, uses a more standard ransom note. However, DetoxCrypto authors have added to Calipso the ability to silently take screenshots of the victim`s desktop when they run it for the first time.
When compared, the two versions appear to be very much alike, as analysis, conducted by the security expert Lawrence Abrams, revealed. Both variant using an EXE file to infect their victims. This file unzips into four other files. One of them is another EXE file named either Pokemon.exe or Calipso.exe which displays the ransom note inside a self-standing windows. Another is an audio file which plays in the background when the ransom note is shown. The last two are a MicrosoftHost.exe file which actually executes the file encryption process and a wallpaper picture for the victim`s desktop.
The DetoxCrypto ransomware`s victims can get in touch with its developers via email as it doesn’t use a Tor-based webpage for the payment process.
DetoxCrypto`s appearance can be explain with two hypothesis. The first and more likely is that a new Ransomware-as-a-Service (RaaS) website has been created explaining why there are two versions whose internal codes are similar but they operate in a different way.
Second, DetoxCrypto authors are just testing different configurations creating new versions with new features added. Anyway, this is doubtful due to the variants` different operating modes. While one of them is secretly making screenshots of the victim`s desktop and reading a threatening ransom note out loud, the other is using childish music.
As no intrusive DetoxCrypto distribution campaigns have been noticed, MalwareHunterTeam believes that the ransomware is still a work in progress.
