The new ransomware family has been detected to take screenshots of the victim hosts and send them to remote malicious servers. There are two known variants at this time that are distributed throughout the Internet.
DetoxCrypto Has Two Very Different Variants
Security experts speculate that the new malware family is sold to criminals in the Dark Web or is a part of an affiliate system of malicious computer threats. There are two known variants to date, and they show completely different features and targets. The first observed variant acts like a typical ransomware program, except that it possesses the screenshot feature. This malware sends screenshots of the victim computers to the remote servers of the criminals, possibly to spy on their activity. The other variant of DetoxCrypto is a counterfeit Pokemon Go application.
All DetoxCrypto samples use AES encryption and can control the MySQL and MSSQL database services on the infected machines. The ransomware displays their notifications while playing an audio file while the lock screen is active. The victims are given instructions to contact the malicious users via email to regain access to their data.
The distribution method is still not known. However, the security experts state that a single executable file is used by all variants of DetoxCrypto. It contains various files and components within itself. Upon execution, the main file extracts a MicrosoftHost.exe file, an audio sample, a wallpaper background, and an executable file named according to the variant.
The MicrosoftHost.exe file is used for the cryptography functions and for controlling the database services on the infected host. The second executable shows the lock screen plays the audio file and decrypts the affected files when a correct passphrase is entered.
The unique option that the DetoxCrypto features is the screenshot ability. Some experts speculate that this is due to possible blackmail attempts if the screenshots contain sensitive information about the user activities.