The owner of the famous Tox ransomware has decided that it was time to sell the platform, this after all popularity reached by its platform.
The Tox platform first emerged from investigation by experts at McAfee, it is a sort of easy to use Ransomware builder, this family of malware is becoming even more popular in the criminal ecosystem and crooks are trying to capture this opportunity.
The ransomware-construction kits, dubbed Tox, is available online for free in the Dark Web since May 19. The onion address of the website that offers it is:
The creators of Tox request a percentage of the amount paid as ransom by the victims, they ensure the anonymity of payments and malware transfer through Bitcoin and Tor network. The authors of Tox ensure that the detection rate for the viruses generated by the platform is very low.Tox ensure that the detection rate for the viruses generated by the platform is very low.
“Once you have downloaded your virus, you have to infect people (yes, you can spam the same virus to more people). How? That’s your part. The most common practice to spam it as a mail attachment. If you decide to follow this method be sure to zip the file to prevent antivirus and antispam detection.” is reported on the official website.
“The most important part: the bitcoin paid by the victim will be credited to your account. We will just keep a 30% fee of the income, so if you specify a 100$ ransom, you will get 70$ and we’ll get 30$, isn’t this fair?”
The key feature for Tox are:
The crime-as-a-service model implemented by Tox author is simple as effective, the malware builder generates an executable of about 2MB that is disguised as a .scr file, the principal advantages for Tox users is the adoption of Tor network and a user friendly administration console. A few steps are enough to personalize a ransomware.
Security experts and the principal security firms start following with interest Tox, the platform is considered a “BIG STAR,” after McAfee published an article on it. The platform started registering thousands of users, and the infections has grown even more, what made the owner of the platform publishing the following message in pastebin:
” Even before the website was ready to host users, the McAfee blog was featuring the article about this platform. The number of the users started growing. From 20 to 50, from 50 to 100, it was doubling every day. Infections, with a little delay, started growing too. In just one week, the platform counted over one thousand users and over one thousand infections, with an average of more than two hundred of polling viruses per half-hour. Yesterday, 2nd June 2015, I decided to quit. Plan A was to stay quiet and hidden. Well, I think I screwed up. It’s been funny, I felt alive, more than ever, but I don’t want to be a criminal. The situation is also getting too hot for me to handle, and (sorry to ruin your expectations) I’m not a team of hard core hackers. I’m just a teenager student.”
He also confirmed his intention to sell the platform and to return ransoms to his customers.
“I’m selling all this out because even if I didn’t, somebody would have developed his own Tox-like version. I’m asking my users to be patient, I’m not going to scam you. In a few days I’ll ask you a bitcoin address in the case somebody pays some of your ransoms. I’ll forward you your part. If nobody’s going to buy the database, in one month I’m releasing the keys, and victims will have their files automatically unlocked. My choices are not linked to the recent external events, I pondered all these choices on my own, for my own good.”
Let’s wait to see what will happen in the next weeks, the unique certainly is that many other platform adopting a similar model of sale will appear in the criminal underground.
About the Author Elsio Pinto
(Security Affairs – Tox, ransomware)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.