How to create your Own Ransomware in 3 steps Using TOX

tox-crimeware-kit-726x400

In the criminal underground it is easy to find malware-construction kits that allow easy to build malicious code from existing templates and in same cases starting from legitimate applications. A new trend emerged from investigation by experts at McAfee is a sort of easy to use Ransomwarebuilder, this family of malware is becoming even more popular in the criminal ecosystem and crooks are trying to capture this opportunity.

The ransomware-construction kits, dubbed Tox, is available online for free in the Dark Web since May 19. The onion address of the website that offer it is

“toxicola7qwv37qj.onion”

tox-logo-300x1111

“We developed a virus which, once opened in a Windows OS, encrypts all the files. Once this process is completed, it displays a message asking to pay a ransom to a bitcoin address to unlock the files. ” states the presentation of Tox available on the home page.

A user interested in Tox can subscribe the service to create their own virus. The authors explain that it is quite easy to create a ransomware in a few simple steps:

  • Decide the ransom amount.
  • Enter your “cause.”
  • Submit the captcha

TOX-config_screen1

TOX config_screen1

The creators of Tox request a percentage of the amount paid as ransom by the victims, they ensure the anonymity of payments and malware transfer through Bitcoin and Tor network. The authors of Tox ensure that the detection rate for the viruses generated by the platform is very low.

“Once you have downloaded your virus, you have to infect people (yes, you can spam the same virus to more people). How? That’s your part. The most common practice to spam it as a mail attachment. If you decide to follow this method be sure to zip the file to prevent antivirus and antispam detection.” is reported on the official website.
“The most important part: the bitcoin paid by the victim will be credited to your account. We will just keep a 30% fee of the income, so if you specify a 100$ ransom, you will get 70$ and we’ll get 30$, isn’t this fair?”

The key feature for Tox are:

  • Tox is free. You just have to register on the site.
  • Tox is dependent on TOR and Bitcoin. That allows for some degree of anonymity.
  • The malware works as advertised.
  • Out of the gate, the standard of antimalware evasion is fairly high, meaning the malware’s targets would need additional controls in place (HIPS, whitelisting, sandboxing) to catch or prevent this.antimalware evasion is fairly high, meaning the malware’s targets would need additional controls in place (HIPS, whitelisting, sandboxing) to catch or prevent this.

The crime-as-a-service model implemented by Tox author is simple as effective, the malware builder generates an executable of about 2MB that is disguised as a .scr file.

TOX-download_virus_file

Tox subscribers can distribute it as they prefer while the Tox hidden service will track any installation and related profit. Tox customers will receive their funds directly on the Bitcoin address they provided during the subscription phase.

“Upon execution, the malware encrypts the victims’ data and prompts them for the ransom, including the Bitcoin address for sending payment.” states McAfee.

The expert at McAfee explained that the malware appears to lack complexity and efficiency because the developer has left several identifying strings within the code.

“Tox-generated malware is compiled in MinGW and uses AES to encrypt client files via the Crypto++ library.  The Microsoft CryptoAPI is used for key generation.”

Tox virus first downloads the essential components to work, Curl and the TOR client.

The experts highlighted that many other threat actors will adopt this model of sale, they also expect that malware authors will improve evasion capabilities of their malicious agents and will use encryption to protect malware traffic.

FAQ :

What is Tox?

We developed a virus which, once opened in a Windows OS, encrypts all the files.
Once this process is completed, it displays a message asking to pay a ransom to a bitcoin address to unlock the files.

How do I make money with Tox?

You can subscribe (no mail or other shit needed) and create your virus. You will have to decide the ransom to unlock the files.
Once you have downloaded your virus, you have to infect people (yes, you can spam the same virus to more people). How? That’s your part. The most common practice to spam it as a mail attachment. If you decide to follow this method be sure to zip the file to prevent antivirus and antispam detection.
The most important part: the bitcoin paid by the victim will be credited to your account. We will just keep a 30% fee of the income, so if you specify a 100$ ransom, you will get 70$ and we’ll get 30$, isn’t this fair?
Are you serious?
Yes, why not? This is the best way for us to infect a lot of people and make a lot of money.
Am I safe?
Sure, as long as you use tor and don’t use personally identifiable information: we don’t need to know you, and you don’t need to know us. The only thing we’ll ask you is the bitcoin address to withdraw your part.
Are you going to steal my profit?
Nope, why should we? The best way for us to make money is having you helping us.
Then why aren’t you spreading the virus yourself?
We are! But with you, we’re going to have a bigger income.
Why is the file a .scr?
Because in this way people will not suspect anything (who knows what is a .scr?). If you wish, you can change it to .exe it’ll work the same.
How does the virus look?
Sexy. The virus has a .src extension (same as .exe files) and it has the icon of a word document, so the victim wont be suspecting anything.
Will you actually decrypt the files once the ransom is paid?
Yes, we will. We want people to trust us, so that more people will pay the ransom.
How dow I withdraw the money?
In the virus section you can monitor the status of all your viruses. When you have bitcoins to withdraw, just enter your address and press the Withdraw button

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s