DetoxCrypto Ransomware

Posted by Max Lehmann on August 24, 2016

What is DetoxCrypto Ransomware?

DetoxCrypto Ransomware is a release variant of PokemonGo Ransomware, but it has some slight differences that set it apart it from its predecessor. Our security experts suggest that you remove this before it encrypts your files because testing has shown that, currently, it does not work. Still, our researchers have analyzed it because it can spring into life at any time. It can infect your PC and say that your files have been encrypted, but will not encrypt any files. Yet, it is set to offer you to purchase a decryption key for a substantial sum of money. Please continue reading to learn more.testtesttest

Where does DetoxCrypto Ransomware come from?

Since DetoxCrypto Ransomware is nearly identical to PokemonGo Ransomware, we have no doubt that it was created by the same developers. Still, not much is known about the origins of both of these infections. As far as this newly released ransomware’s dissemination methods are concerned, it seems that it is distributed in much the same way its release variant is, which is email spam. We have received information claiming that DetoxCrypto Ransomware’s payload is featured in an email attachment that may look like a PDF file. Apparently, the emails are sent from a remote server, and they may be disguised as login notifications, newsletters, and so on from sites such as Facebook, Twitter, Instagram, Amazon, and PayPal, among others. Researchers say that, like is release variant, DetoxCrypto Ransomware copies itself to all connected external storage devices using an autorun.inf file that is created upon infection. Also, it is set to make a copy of itself in each internal hard drive, so you have to check all of your storage devices and internal hard drives for this ransomware if you want to get rid of it completely.

What does DetoxCrypto Ransomware do?

According to our security analysts, when this ransomware infects your computer, it drops its files that include key.txt, pok.wav, pokbg.jpg, Pokemon.exe, and total.txt in %USERPROFILE%\Downloads\Pokemon and drops a copy of Pokemon.exe in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup. However, some variants of this ransomware might drop all of the files in %USERPROFILE%\Calipso. Once the files have been dropped, the ransomware will execute and scan your computer for files that it could encrypt. However, before beginning the encryption, it stops services with "SQL" in their names. This ransomware is set to encrypt more than a hundred file formats that include but are not limited to .JPG, .KEY, .MDB .MD2, .MDF, .MHT, .TXT, .VSD, .WMV, .XLS, .XLSX, .3GP, .7Z, .APK, .AVI, and .BMP. It uses the AES and RSA encryption algorithms to lock the files, but it does not append the files with an extension.

When the encryption is complete, it saves the key, the number of encrypted files and sets new wallpaper with an image featuring a sad Pikachu Pokémon. The image is technically a ransom note that says that you need to send 3 Bitcoins (1732.49 USD.) However, before you do that, you need to contact the malware developers via the provided email address to get their Bitcoin wallet address. However, we want to inform you that you do not have to pay the ransom because DetoxCrypto Ransomware currently does not encrypt any files, but be sure to check whether this is the case by opening several files that were supposed to be encrypted. If they are not, then you can go ahead and delete the malicious. Nevertheless, if this ransomware encrypts your files, you should consider the possibility of the cyber criminals not sending you the private decryption key. The ransom you are expected to pay is quite large, and your files might not be worth that kind of money.

How to remove DetoxCrypto Ransomware

If you want to get rid of this ransomware, then you have come to the right cyber security website. Our security experts have tested this infection and made a manual removal guide. However, if experience issues with this guide due to the possible variations of this ransomware, we suggest downloading SpyHunter, a program that can show you the locations of all malicious files and, thus, will help you delete them manually. Nevertheless, this program can also wipe out all malicious programs present on your computer automatically.

Manual removal guide

  1. Delete the PokemonGO.exe from the location you launched it (e.g. Downloads folder, desktop)
  2. Hold down Windows+E keys.
  3. In the File Explorer’s address box, enter %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
  4. Find Pokemon.exe and delete it.
  5. Then, enter one of the following locations (location variable)
    • %USERPROFILE%\Downloads\Pokemon
    • %USERPROFILE%\Calipso
  6. Delete key.txt, pok.wav, pokbg.jpg, Pokemon.exe, and total.txt
100% FREE spyware scan and
tested removal of DetoxCrypto Ransomware*
Disclaimer
Disclaimer
Trojans

Leave a Comment

Enter the numbers in the box to the right *