Tox ransomware platform builder is now available for sale

The owner of the Tox ransomware builder is offering for sale the platform worried by its popularity. He confirmed that he will pay ransoms to his customers.

The owner of the famous Tox ransomware has decided that it was time to sell the platform, this after all popularity reached by its platform.

The Tox platform first emerged from investigation by experts at McAfee, it is a sort of easy to use Ransomware builder, this family of malware is becoming even more popular in the criminal ecosystem and crooks are trying to capture this opportunity.

The ransomware-construction kits, dubbed Tox, is available online for free in the Dark Web since May 19. The onion address of the website that offers it is:

toxicola7qwv37qj.onion

The creators of Tox request a percentage of the amount paid as ransom by the victims, they ensure the anonymity of payments and malware transfer through Bitcoin and Tor network. The authors of Tox ensure that the detection rate for the viruses generated by the platform is very low.Tox ensure that the detection rate for the viruses generated by the platform is very low.

“Once you have downloaded your virus, you have to infect people (yes, you can spam the same virus to more people). How? That’s your part. The most common practice to spam it as a mail attachment. If you decide to follow this method be sure to zip the file to prevent antivirus and antispam detection.” is reported on the official website.
“The most important part: the bitcoin paid by the victim will be credited to your account. We will just keep a 30% fee of the income, so if you specify a 100$ ransom, you will get 70$ and we’ll get 30$, isn’t this fair?”

The key feature for Tox are:

• Tox is free. You just have to register on the site.
• Tox is dependent on TOR and Bitcoin. That allows for some degree of anonymity.
• The malware works as advertised.
• Out of the gate, the standard of antimalware evasion is fairly high, meaning the malware’s targets would need additional controls in place (HIPS, whitelisting, sandboxing) to catch or prevent this.antimalware evasion is fairly high, meaning the malware’s targets would need additional controls in place (HIPS, whitelisting, sandboxing) to catch or prevent this.

The crime-as-a-service model implemented by Tox author is simple as effective, the malware builder generates an executable of about 2MB that is disguised as a .scr file, the principal advantages for Tox users is the adoption of Tor network and a user friendly administration console. A few steps are enough to personalize a ransomware.

Security experts and the principal security firms start following with interest Tox, the platform is considered a “BIG STAR,” after McAfee published an article on it. The platform started registering thousands of users, and the infections has grown even more, what made the owner of the platform publishing the following message in pastebin:

” Even before the website was ready to host users, the McAfee blog was featuring the article about this platform. The number of the users started growing. From 20 to 50, from 50 to 100, it was doubling every day. Infections, with a little delay, started growing too. In just one week, the platform counted over one thousand users and over one thousand infections, with an average of more than two hundred of polling viruses per half-hour. Yesterday, 2nd June 2015, I decided to quit. Plan A was to stay quiet and hidden. Well, I think I screwed up. It’s been funny, I felt alive, more than ever, but I don’t want to be a criminal. The situation is also getting too hot for me to handle, and (sorry to ruin your expectations) I’m not a team of hard core hackers. I’m just a teenager student.”

He also confirmed his intention to sell the platform and to return ransoms to his customers.

“I’m selling all this out because even if I didn’t, somebody would have developed his own Tox-like version. I’m asking my users to be patient, I’m not going to scam you. In a few days I’ll ask you a bitcoin address in the case somebody pays some of your ransoms. I’ll forward you your part. If nobody’s going to buy the database, in one month I’m releasing the keys, and victims will have their files automatically unlocked. My choices are not linked to the recent external events, I pondered all these choices on my own, for my own good.”

Let’s wait to see what will happen in the next weeks, the unique certainly is that many other platform adopting a similar  model of sale will appear in the criminal underground.

About the Author Elsio Pinto

Edited by Pierluigi Paganini

(Security Affairs –  Tox, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]