Threat Database Ransomware DetoxCrypto Ransomware

DetoxCrypto Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Ranking: 6,208
Threat Level: 100 % (High)
Infected Computers: 1,986
First Seen: August 22, 2016
Last Seen: September 18, 2023
OS(es) Affected: Windows

The DetoxCrypto Ransomware is an encryption ransomware Trojan that, as part of its attack, takes advantage of the hugely popular mobile game Pokemon GO. New variants of the DetoxCrypto Ransomware, first observed in August of 2016, include one themed after the popular game and one that has been named the 'Calipso version' of this threat. The DetoxCrypto Ransomware recycles large parts of the code and is very similar to other ransomware Trojans. However, the DetoxCrypto Ransomware is a new type of ransomware infection that computer users will need to be on the lookout for. It is very likely that new versions of the DetoxCrypto Ransomware will appear in the future.

The DetoxCrypto Ransomware Intoxicates Your Files

The earliest version of the DetoxCrypto Ransomware uses images from the Pokemon GO game in the ransom note that it displays on the infected computer's Desktop. This version of the DetoxCrypto Ransomware replaces the victim's desktop wallpaper image with its ransom note. A second version of the DetoxCrypto Ransomware, discovered only a day later, uses a ransom note that does not include the Pokemon GO imagery and includes an interesting feature. This later version of the DetoxCrypto Ransomware, named DetoxCrypto Ransomware (Calipso Version) has the capacity of taking a screenshot of the victim's Desktop when it first runs on the infected computer.

Both versions of the DetoxCrypto Ransomware are nearly identical; they first infect the victim's computer contained in an EXE file, which delivers four different files to the victim's computer. The following are the four files that have been linked to the DetoxCrypto Ransomware attack:

  1. The first file related to the DetoxCrypto Ransomware is the image file that is used to replace the victim's Desktop wallpaper image. In the case of earlier versions of the DetoxCrypto Ransomware, this image is related to the Pokemon GO game.
  2. The second of these files contains audio content, which is played in the background when the DetoxCrypto Ransomware ransom note is displayed on the infected computer.
  3. The DetoxCrypto Ransomware's actual file encryption process is carried out by a file named MicrosoftHost.exe. There is no relationship between this file or the DetoxCrypto Ransomware with Microsoft. Rather, this name is used to mislead computer users that check their Task Manager, since the file process will blend in with legitimate Microsoft and Windows memory processes.
  4. The fourth file linked to the DetoxCrypto Ransomware attack is a second executable file named either Calipso.exe or Pokemon.exe (depending on the version of the DetoxCrypto Ransomware attack) which displays the DetoxCrypto Ransomware's ransom note in an independent window while playing the audio file in the background.

The DetoxCrypto Ransomware may be the First Version of Its Kind

The DetoxCrypto Ransomware ransom note instructs computer users to contact the con artists using email, rather than using a TOR based payment method. The fact that two versions of the DetoxCrypto Ransomware were detected in such a short span of time could point either to a threat developer that is creating new versions of the DetoxCrypto Ransomware with new features, or configuration methods are being added. One reason why this is unlikely is the stark difference in the two methods of the attack. One is themed around Pokemon GO and uses fun, childish music. The other takes screenshots in the background and uses an audio file that reads out loud a ransom note that is worded more threateningly. One theory that could explain the DetoxCrypto Ransomware phenomenon is that these two versions of the DetoxCrypto Ransomware could belong to a new Ransomware as a Service (RaaS) that may have just begun to offer its services. In these services, con artists can purchase ransomware threats like the DetoxCrypto Ransomware that are customized to their specifications and managed by a party different to the one doing the distribution.

SpyHunter Detects & Remove DetoxCrypto Ransomware


DetoxCrypto Ransomware may create the following directory or directories:



Most Viewed