Reading Time: ~ 2 min.

A new ransomware has emerged and its very similar to tox as it is created for hackers to easily design encrypting ransomware payloads to distrube from their botnets. Since the creator of Tox was selling his operation, this could very well be the end result of that. The idea is to contract hackers with already operational botnets and campaigns use this page to create encrypting ransomware binaries to their specifications and then hand off 20% of their succussful scams to the Encryptor RaaS author.

Creation page

All a hacker has to do with this page is just input the bitcoin wallet address they want the funds to go to. Then customize the price they want for immediate payment, late payment, and lastly a timer for what is considered a late payment.

Skip forward to infecting a victim and there is no GUI popup. Just all your documents are now encrypted and you have this new instructions text at every directory.

Typically you have to install a layered tor browser to get to here, but tor2web currently is supporting a gateway to the page even if you’re just using a normal browser like firefox or chrome. Here is what you’ll be presented with.

Instructions are fairly clear on how to install a bitcoin wallet and send money to the hackers holding your files ransom. If you wait too long then the price will go up – and is set by the generator we showed earlier. Once you have paid the ransom this page will update showing “PAYED” and will then have a link to the decryptor. The decryptor doesn’t have a GUI either and will just run in the background until all files are decrypted.

MD5 Analyzed: D87BA0BFCE1CDB17FD243B8B1D247E88
Additonal MD5 Analyzed: ECDACE57A6660D1BF75CD13CFEBEDAEE

Webroot will catch this specific variant in real time and heuristically before any encryption takes place. We’re always on the look out for more, but just in case of new zero day variants, remember that with encrypting ransomware the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Keeping it up to date is key so as not to lose productivity. Webroot has backup features built into our consumer product that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero day variant of encrypting ransomware you can just restore your files back as we save a snapshot history for each of your files up to ten previous copies. Please see our community post on best practices for securing your environment against encrypting ransomware.

Tyler Moffitt

About the Author

Tyler Moffitt

Senior Threat Research Analyst

Tyler Moffitt is a Senior Threat Research Analyst who stays deeply immersed within the world of malware and antimalware. He is focused on improving the customer experience through his work directly with malware samples, creating antimalware intelligence, writing blogs, and testing in-house tools.

Share This