Yet another variant of the DetoxCrypto ransomware was discovered by MalwareHunterTeam, which displays its ransom note in Croatian.
The victim's files are encrypted with AES, and have no extension added, or any file markers. The only way to identify this variant is by the wallpaper left on the victim's desktop, telling them to contact the criminals at the email address "firstname.lastname@example.org".
This variant pretends to be a PDF document in order to run, and for persistence, the executable pretends to be "TrendMicro".
This particular variant is decryptable, and I have released a decrypter for it. To decrypt files, you will just need what the program calls the "public key", a random 16-character string. This is displayed in the ransom screen, and is also saved at %USERPROFILE%\TrendMicro\key.pkm. My decrypter will automatically search for this file and load it if found.
To note, since there is no file marker or extension, I cannot completely tell what files were not encrypted, other than to guess by the filesize. A backup of any files altered are made with the extension ".bak" to be safe.
There is also another variant of this same ransomware that uses the email address "email@example.com". This variant cannot be decrypted at this time unfortunately.