Scammers will always try and imitate legitimate tools and services in an effort to trick people into harming their accounts and devices. If it isn’t fake logins, it’s dubious links on social media. If we’re wading knee deep in 419 emails, you can bet another round of tech support scams will be along in a minute.
In the realm of ransomware, confidence tricks reign supreme and while those antics usually involve screaming YOUR PC HAS BEEN LOCKED, YOU’VE BEEN LOOKING AT BAD THINGS AND NOW WE NEED SOME MONEY at the victim, they also need a way to have them run the file on offer. While some attacks involve exploits and automatically installing malware, not all ransomware authors have that luxury so they have to rely on different means.
What we’re seeing at the moment is what appears to be a kind of trial run for ransomware distribution. There’s a couple of Detox Ransomware files doing the rounds, and though they’re all broken in terms of functionality and / or download / dropper URLs, it’s still a possible sign of things shortly coming around the corner and worth giving a heads up on. No doubt we’ll likely see a fully functional version of what’s below and more besides in the near future:
Another DetoxCrypto sample, probably trying to fake @Malwarebytes with “Malwerbyte”.@BleepinComputer @demonslay335pic.twitter.com/0OJT14nklW
— MalwareHunterTeam (@malwrhunterteam) September 15, 2016
More #ransomware is on its way, beware of this one. Faking@Malwarebytes to fool you into opening @malwrhunterteamhttps://t.co/kZKjVrhx64
— Cyber 123 (@UK_Cyber123) September 15, 2016
From the file’s VirusTotal page:
Copyright Copyright © 2016
Original name Malwerbyte.exe
Internal name Malwerbyte.exe
File version 188.8.131.52
They made a bit of a typo there, which is a quick and handy way to spot the fake. Additionally, the ransomware sample being looked at doesn’t encrypt files which further suggests this is either a trial run or just poorly coded Malware.
Users of Malwarebytes Anti-Malware will find we detect the above as Ransom.DetoxCrypto.
Should we see updates to this particular rollout, we will of course be back to take a second look. If you’re curious about versions of DetoxCrypto which are fully functional and the kind of mischief they get up to, then BleepingComputer will walk you through the perils of Pokemon Ransomware.