- Slow Computer
- System crashes
- Shows commercial adverts
- Connects to the internet without permission
- Installs itself without permissions
- Can't be uninstalled via Control Panel
A new ransomware-type infection is currently on the loose, and it could wreak havoc on your computer if it were not for the fact that it does not work. It is called DetoxCrypto Ransomware, and we recommend that you remove it from your computer as soon as possible. While testing it, we found that it is a variant of PokemonGO Ransomware and Calypso Ransomware. Nevertheless, these applications have minute differences, so an analysis dedicated to DetoxCrypto Ransomware is required. In this article, we will cover how this infection works, its distribution methods and how to get rid of it.
This ransomware is supposed to encrypt your files, but our research has concluded that it does not do that. It is likely that its Command and Control Server (C&C Server) is down, so this ransomware does not receive the instructions necessary to generate the unique private decryption key that is sent to the C&C Server and held for ransom. We have also found that this infection it uses the AES encryption algorithm to encrypt the files and the RSA algorithm to encrypt the decryption key. In case this ransomware works, you will not be able to get your files back without paying the hefty ransom of 3 BTC which is an approximate 1732 USD. Now let us get into the technical information regarding DetoxCrypto Ransomware.
Not only is this ransomware similar to PokemonGO Ransomware and Calypso Ransomware, but has two variations of its own. In all cases, this ransomware has the same Pokémon theme, but it differs from PokemonGO Ransomware as far as visuals are concerned. After the encryption is complete, it will change the desktop wallpaper to an image depicting the Pokémon Pikachu. This image is, in fact, the ransom note that asks you to contact the cyber crooks via the provided email address to get the Bitcoin wallet to which you are expected to transfer 3 BTC.
As stated, DetoxCrypto Ransomware has two variations so it can drop its payload to either %USERPROFILE%\Downloads\Pokemon or %USERPROFILE%\Calipso. The payload consists of five files that include key.txt, pok.wav, pokbg.jpg, Pokemon.exe, and total.txt. After the encryption is complete, the infection is set to launch Pokemon.exe which is this ransomware’s Graphical User Interface, and it also contains the same ransom note found on the desktop image. One of its dialog boxes has the public key already entered, but you would need the private key as well to get your files back. However, since this malware does not encrypt your files, you do not need the private key. Before we move on to its removal, we would like to say a few things about its distribution methods.
DetoxCrypto Ransomware’s main executable is named PokemonGO.exe which is not to be confused with Pokemon.exe because when you run PokemonGO.exe, it drops Pokemon.exe and all of the other files we mentioned previously to one of two preset locations. In short, PokemonGO.exe is the executable that drops the payload. This executable is known to be disseminated via email spam, so the cyber criminals take advantage of the Pokémon Go craze that is currently sweeping the world in an effort to trick gullible users into thinking that it is some kind of a game and launch it. A powerful anti-malware would prevent this executable from running entirely, but if you do not have such a program, and your PC got infected with DetoxCrypto Ransomware, then you might want to make use of the removal guide presented below.
In summary, DetoxCrypto Ransomware can be a dangerous infection, but thankfully it does not at the moment, so it cannot encrypt your files. However, this can change at any time, so you have to get rid of it as soon as possible. Do not be fooled by the ransom note — check to see if your files have actually been encrypted. You can delete its files manually using the guide below or get an anti-malware tool such as SpyHunter which will make light work of this infection.
Remove this ransomware