Tox Affiliate Site
Yesterday, we received a report of this ransomware actively being distributed as attachments in SPAM emails. This attachment pretends to be a Word document by using a Word icon but is actually a file with the .scr extension. Once executed, the Tox ransomware will download TOR and other files to C:\Users\<user>\Appdata\Roaming\. It will then encrypt all files with AES encryption that match the following extensions:
.txt, .odt, .ods, .odp, .odm, .odb, .doc, .docx, .docm, .wps, .xls, .xlsx, .xlsm, .xlsb, .xlk, .ppt, .pptx, .pptm, .mdb, .accdb, .pst, .dwg, .dxf, .dxg, .wpd, .indd, .cdr, .jpg, .jpe, .jpeg, .dng, .3fr, .arw, .mef, .mrw, .nef, .nrw, .orf, .raf, .raw, .rwl, .rw2, .r3d, .ptx, .pef, .srw, .x3f, .der, .cer, .rtf, .wb2, .mdf, .dbf, .psd, .pdd, .eps, .ai, .crt, .pem, .pfx, .p12, .p7b, .p7c, .pdf, .odc, .srf, .sr2, .bay, .crw, .cr2, .dcr, .kdc, .erf, .png, .xml, .sql, .php, .asp, .aspx, .js, .css, .cs, .cpp, .hpp, .java, .class, .py, .pl, .veg, .aep, .aepx, .blend, .prproj, .cad, .tif, .sitx, .sit, .rmvb, .bmp, .pps, .pub, .qbb, .swf, .asf, .dss, .qxd, .3gp, .cdl, .mswmm, .ss, .eml, .csvAny files that are encrypted will have the .toxcrypt extension appended to the filename. Tox will then display a HTML ransom note in the default web browser explaining how to make payment via your unique bitcoin address. The actual ransom amount will be different per affiliate as it is decided when they generate their version of the ransomware.
Thankfully, Tox does not delete the Shadow Volume Copies so it is still possible to restore your files using a tool like Shadow Explorer. Information on how to restore your files via Shadow Explorer can be found here:
After testing the sample, I decided to login and take a look at the affiliate site. It is well made and the process for creating your own ransomware is really easy. Hell, they even have their own Twitter account. What I found more interesting, was the creator of the site chatting with his new affiliates. Below are some snippets of interesting conversation from the Tox chat channel.
Some affiliates bragging about the amount of ransom infections they currently have.
Here the dev, Tox, reveals the total amount of current Tox infections.
Someone brags about stealing their employer's (an investment company) email list.
An affiliate asking questions about the type of encryption the ransomware uses.
Without a doubt this type of site and affiliate system is a disturbing trend as it allows anyone to generate an efficient and uncrackable ransomware. The only thing that is beneficial is that since distribution is handled by the affiliate, there will be plenty of amateurs and script kiddies being busted.
Files installed by Tox:
%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\tox.html %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\Tox.scr %AppData%\tor\ %AppData%\tor\cached-certs %AppData%\tor\cached-microdesc-consensus %AppData%\tor\cached-microdescs.new %AppData%\tor\lock %AppData%\tor\state %AppData%\tox.log %AppData%\tox_tor\ %AppData%\tox_tor\Data\ %AppData%\tox_tor\Data\Tor\ %AppData%\tox_tor\Data\Tor\geoip %AppData%\tox_tor\Data\Tor\geoip6 %AppData%\tox_tor\Tor\ %AppData%\tox_tor\Tor\libeay32.dll %AppData%\tox_tor\Tor\libevent-2-0-5.dll %AppData%\tox_tor\Tor\libevent_core-2-0-5.dll %AppData%\tox_tor\Tor\libevent_extra-2-0-5.dll %AppData%\tox_tor\Tor\libgcc_s_sjlj-1.dll %AppData%\tox_tor\Tor\libssp-0.dll %AppData%\tox_tor\Tor\ssleay32.dll %AppData%\tox_tor\Tor\tor.exe %AppData%\tox_tor\Tor\zlib1.dll %AppData%\tox_tor\tor.zip