Home Malware Programs Ransomware DetoxCrypto Ransomware

DetoxCrypto Ransomware

Posted: August 22, 2016

Threat Metric

Ranking: 6,623
Threat Level: 10/10
Infected PCs: 4,665
First Seen: August 22, 2016
Last Seen: October 10, 2023
OS(es) Affected: Windows

The DetoxCrypto Ransomware is a file encryption Trojan that makes harmful changes to your file data as a means of holding it hostage. Since paying ransoms to the DetoxCrypto Ransomware's administrators is a risky way of recovery that encourages further threat development, you should look to alternate solutions, such as keeping remote backups, whenever possible. After identifying the symptoms of an attack, always remove the DetoxCrypto Ransomware through an anti-malware product to stop it from damaging any additional data.

Catching the Worst 'Pocket Monster' of All: A Trojan

Like any widespread social phenomenon, the popularity of Pokemon Go has served as a publicity platform for the thematic design of some threat campaigns. The Pokemon GO Ransomware was the first of its type to be identified, but now malware experts can confirm a new Trojan using similar themes: the DetoxCrypto Ransomware. Unlike the Pokemon GO Ransomware, the DetoxCrypto Ransomware appears to be the starting point of a new family of ransomware-based Trojans being sold or rented to third parties.

The DetoxCrypto Ransomware is circulating in two versions with almost identical code and file system behavior currently, but different ransoming messages. The non-Pokemon-themed version of the DetoxCrypto Ransomware also includes a screen-capturing function during its launching, which raises the possibility of the inclusion of significant spyware attacks in a future campaign by the threat. Both versions of this threat include a file encryption attack, a desktop-hijacking image serving as their ransom note, associated sound files, and an additional extortion message in a pop-up.

The DetoxCrypto Ransomware uses a fake MicrosoftHost.exe file to run its encryption attack, which uses an algorithm to change the PC's information to a custom cipher text. The included ransom messages ask for a Bitcoin payment before the remote attackers will send the decryption key to you. Malware experts also noted the inclusion of a time limit for taking payments as a continuance of a common social engineering technique, currently in use on the Pokemon variant of the DetoxCrypto Ransomware.

Detoxifying Your PC of the Newest Threat

Similarly to the Troldesh Ransomware, the DetoxCrypto Ransomware's two variants use e-mail address-based extortion methods, rather than the Tor website navigation that some threats require. However, the two families appear to be unrelated to each other, and the DetoxCrypto Ransomware does not show other traits typical of the former group (such as using ID numbers that the Trojan inserts into the names of your files). Like all recently identified threat, the DetoxCrypto Ransomware may be able to avoid being caught by security products still using outdated threat databases.

The PC security sector has yet to release a decryption solution specific to the DetoxCrypto Ransomware, which leaves current decryption possibilities in the hands of the remote attackers controlling its campaigns primarily. Paying con artists to decrypt your information may cause further damage to your files through a faulty decryption program, or, in the worst cases, result in your losing the ransom money for no benefit. For PC users with information in need of preservation from these attacks, malware experts recommend keeping backups on cloud servers, USB devices, and other drives that the DetoxCrypto Ransomware can't infect.

The DetoxCrypto Ransomware incorporate content with misleading names, including at least one file that disguises itself as a part of a Microsoft product. Using automated anti-malware solutions for uninstalling the DetoxCrypto Ransomware provides the best chances of not overlooking any of its files during the deletion process. However, even in spite of the best resolution strategies possible, PC users who aren't protecting their data may find that the sight of a Pokemon's mascot Pikachu has become a symbol of permanent file damage.

Technical Details

Additional Information

The following directories were created:
%USERPROFILE%\Calipso%USERPROFILE%\Downloads\Pokemon
Loading...