New Ransomware Offers Multiple Versions
Wednesday, August 24, 2016 @ 02:08 PM gHale
A new ransomware family will take a screenshot of a victims’ computer and send it to the operator’s servers.
DetoxCrypto is the new malware. While it is a new offering in the ransomware genre, is using different variants with each using a different theme, email address, and different features.
One acts like the usual ransomware, while another poses as a PokemonGo app, which is very popular these days.
All of the observed variants use AES encryption and can stop MySQL and MSSQL services on the infected machines, according to a report at BleepingComputer.
The variants display a ransom note/lock screen, while also playing an audio file while the lock screen is showing. The ransomware also instructs victims to contact the operators via an email address included in the lock screen to regain access to their files.
Researchers did not say how the ransomware is going out, but they did say one distributed executable ends up used by all variants. This file contains other executables and components embedded within. When launched, the main executable extracts a MicrosoftHost.exe file, an audio file, a wallpaper background, and an executable named differently per variant.
The MicrosoftHost.exe executable performs the actual encryption of the drive and stop the database servers on the victim’s computer. When encrypting files, it will not append a different extension to it. It will also configure the Windows desktop background to use the embedded image file that is extracted, according to BleepingComputer.
The third file, which we have seen named Calipso.exe and Pokemon.exe, display the lock screen, play an audio file, and provide the ability to decrypt a victim’s file if the correct password is entered, BleepingComputer said. This file appears is not static between each variant that we noticed, so it is possible that different distributors customize this file to perform their own desired tasks.
A unique feature to this ransomware variant is it takes a screenshot of the active screen and uploads it to the developer when executed. Researchers believe the ransomware’s operators could attempt to increase the price of the ransom if the screenshot contains blackmail worthy content.