Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


ToxCrypt Ransomware – Remove It and Restore Your .toxcrypt Encrypted Files

tox--sensorstechforumA virus-encoding program also known as ransomware, called ToxCrypt is continuing to spread its malicious data across the web. This virus aims to scare infected users into paying the ransom by resembling a toxic menace and using a strong AES and Crypto++ mechanisms to encrypt files. In return for the access of the user’s files, the ransom note of ToxCrypt demands the payoff of around 0.23 BTC. Users infected with this virus are strongly advised to not pay any ransom money and instead to remove ToxCrypt using an advanced anti-malware program. For the recovery of the files, it is advisable to try alternative methods like the ones here and see if they will work out successfully before attempting any other solutions.

Threat Summary

Name ToxCrypt
Type Ransomware
Short Description The ransomware encrypts files with the AES cipher and asks a ransom of 50% for decryption.
Symptoms Files are encrypted and become inaccessible. A ransom note with instructions for paying the ransom shows in a newly installed Tor browser.
Distribution Method Spam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by ToxCrypt

Download

Malware Removal Tool

User Experience Join our forum to Discuss ToxCrypt Ransomware.

ToxCrypt Ransomware – Spread

In order to be widespread across computers, ToxCrypt virus-encoder may use the biggest weakness in a computer – the user. Since there are a lot of inexperienced users who may have become infected by clicking on malicious URLs associated with ToxCrypt crypto-virus. Such URLs tend to lead to JavaScripts or Exploit Kit attacks, which show a rapid grow in association with ransomware infections.

But this doesn`t exclude the possibility that this virus may be directly distributed via malicious attachments posted in spam e-mail messages, that may resemble a service or a person familiar to the user.

ToxCrypt Ransomware Viewed In Detail

Once executed as a process on your computer, ToxCrypt’s payload is reported to be associated with multiple files in the %AppData% Windows directory:

→ Microsoft\Windows\Start Menu\Programs\Startup\tox.html
Microsoft\Windows\Start Menu\Programs\Startup\Tox.scr
\tor\
tor\cached-certs
tor\cached-microdesc-consensus
tor\cached-microdescs.new
tor\lock
tor\state
tox.log
tox_tor\
tox_tor\Data\
tox_tor\Data\Tor\
tox_tor\Data\Tor\geoip
tox_tor\Data\Tor\geoip6
tox_tor\Tor\
tox_tor\Tor\libeay32.dll
tox_tor\Tor\libevent-2-0-5.dll
tox_tor\Tor\libevent_core-2-0-5.dll
tox_tor\Tor\libevent_extra-2-0-5.dll
tox_tor\Tor\libgcc_s_sjlj-1.dll
tox_tor\Tor\libssp-0.dll
tox_tor\Tor\ssleay32.dll
tox_tor\Tor\tor.exe
tox_tor\Tor\zlib1.dll
tox_tor\tor.zip

The files which are associated with the Tor network may be helping modules for the infected user to communicate with the cyber-crooks. In addition to creating those files, ToxCrypt ransomware begins the encryption process. It scans for and enciphers files with the following file extensions:

.txt, .odt, .ods, .odp, .odm, .odb, .doc, .docx, .docm, .wps, .xls, .xlsx, .xlsm, .xlsb, .xlk, .ppt, .pptx, .pptm, .mdb, .accdb, .pst, .dwg, .dxf, .dxg, .wpd, .indd, .cdr, .jpg, .jpe, .jpeg, .dng, .3fr, .arw, .mef, .mrw, .nef, .nrw, .orf, .raf, .raw, .rwl, .rw2, .r3d, .ptx, .pef, .srw, .x3f, .der, .cer, .rtf, .wb2, .mdf, .dbf, .psd, .pdd, .eps, .ai, .crt, .pem, .pfx, .p12, .p7b, .p7c, .pdf, .odc, .srf, .sr2, .bay, .crw, .cr2, .dcr, .kdc, .erf, .png, .xml, .sql, .php, .asp, .aspx, .js, .css, .cs, .cpp, .hpp, .java, .class, .py, .pl, .veg, .aep, .aepx, .blend, .prproj, .cad, .tif, .sitx, .sit, .rmvb, .bmp, .pps, .pub, .qbb, .swf, .asf, .dss, .qxd, .3gp, .cdl, .mswmm, .ss, .eml, .csv Source: Amigo A

For the encryption process, ToxCrypt uses two mechanisms. One of them is the notorious AES cipher that is nearly impossible to bruteforce unless there is a security hole in ToxCrypt’s encryptor and a Crypto ++ mode which includes multiple ciphers and additionally complicates the situation.

The encrypted files are no longer accessible and they contain the .toxcrypt file extensions, for example:

→ New Text Document.txt.toxcrypt

After encrypting the files of unsuspecting users, the ransomware then may open the custom Tor browser it has installed in the %AppData% directory with a web link directly linking to its service. There, the user immediately finds the following ransom instructions:

tox-ransomware-main-ransom-message-sensorstechforum

Not only this, but the audacity of the crooks behind ToxCrypt ransomware is so big, that they propose to their victims to join them and keep spreading this virus, promising a percentage of the profit:

tox-help-us-spread-the-virus

Besides this, the crooks have also created a live private messaging service, allowing them to communicate anonymously live with anyone whose PC got infected with ToxCrypt.

tox-chat-sensorstechforum

ToxCrypt Ransomware – Conclusion, Removal and File Reverting

The bottom line for ToxCrypt is that it is focused primarily on spreading across more and more computers and it even tries to corrupt average users into its scheme. Despite that the 50$ ransom may be tempting if your files are important we strongly advise against allowing the cyber-criminals to spread and not pay the ransom.

Instead you can successfully remove ToxCrypt from your computer by using the instructions below. They allow you to methodologically find the files associated with ToxCrypt and remove them. However, be advised that ToxCrypt may create additional files and modify the Windows Registry Editor. This is why, for maximum effectiveness experts advise to use an advanced anti-malware tool which will help removing the threat safely.

To restore the data, so far there is no direct solution. However we advise you to try the alternatives in step “3. Restore files encrypted by ToxCrypt below. They may not be 100% guarantee but there is a small chance you may revert some of your old data back, especially if your backup wasn’t affected by ToxCrypt Ransomware.

Manually delete ToxCrypt from your computer

Note! Substantial notification about the ToxCrypt threat: Manual removal of ToxCrypt requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove ToxCrypt files and objects
2.Find malicious files created by ToxCrypt on your PC
3.Fix registry entries created by ToxCrypt on your PC

Automatically remove ToxCrypt by downloading an advanced anti-malware program

1. Remove ToxCrypt with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by ToxCrypt in the future
3. Restore files encrypted by ToxCrypt
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.