Tox (also found as Tox virus) is a new type of ransomware that anyone can become affiliated with and create for their own purpose by going to a special TOR site called Tox – Virus. It’s unlike other forms of ransomware because Tox ransomware can be authored by anyone including amateurs who might bite off more than they can chew.
The way that Tox ransomware works on the blackhat side is that a person visits the TOR site, signs up to become an affiliate, creates a profile (which can be used for chatting with other affiliates), creates their own Tox virus, and then uses malicious files to infect victims with the Tox virus hoping that victims will pay the $50.00 USD ransom using bitcoins. The site developer will then get 30% of the ransom payments and the affiliate will get 70%.
The Tox virus is commonly distributed in email spam attachments that pretend to be a Word document. The malicious Tox file pretends to be a Word document by using a Word icon but it is actually a malicious file with the .scr extension and once it has been executed Tox ransomware will begin to download Tox malware and other files to C:\Users\<user>\Appdata\Roaming\ on the infected computer. A list of these files is below:
%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\tox.html %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\Tox.scr %AppData%\tor\ %AppData%\tor\cached-certs %AppData%\tor\cached-microdesc-consensus %AppData%\tor\cached-microdescs.new %AppData%\tor\lock %AppData%\tor\state %AppData%\tox.log %AppData%\tox_tor\ %AppData%\tox_tor\Data\ %AppData%\tox_tor\Data\Tor\ %AppData%\tox_tor\Data\Tor\geoip %AppData%\tox_tor\Data\Tor\geoip6 %AppData%\tox_tor\Tor\ %AppData%\tox_tor\Tor\libeay32.dll %AppData%\tox_tor\Tor\libevent-2-0-5.dll %AppData%\tox_tor\Tor\libevent_core-2-0-5.dll %AppData%\tox_tor\Tor\libevent_extra-2-0-5.dll %AppData%\tox_tor\Tor\libgcc_s_sjlj-1.dll %AppData%\tox_tor\Tor\libssp-0.dll %AppData%\tox_tor\Tor\ssleay32.dll %AppData%\tox_tor\Tor\tor.exe %AppData%\tox_tor\Tor\zlib1.dll %AppData%\tox_tor\tor.zip
When a computer system becomes infected with the Tox virus they will lose access to their computer system and personal computer files will become encrypted by the malware. The encrypted files will attain the .toxcrypt extension. Tox ransomware will then display a HTML ransom note using the default internet browser which explains how to pay the $50.00 ransom, how to buy bitcoins, and how to ‘work with them’ to help them spread viruses around the world.
The files which have these extensions will become encrypted by the Tox virus and the extensions will be changed to .toxcrypt:
.txt, .odt, .ods, .odp, .odm, .odb, .doc, .docx, .docm, .wps, .xls, .xlsx, .xlsm, .xlsb, .xlk, .ppt, .pptx, .pptm, .mdb, .accdb, .pst, .dwg, .dxf, .dxg, .wpd, .indd, .cdr, .jpg, .jpe, .jpeg, .dng, .3fr, .arw, .mef, .mrw, .nef, .nrw, .orf, .raf, .raw, .rwl, .rw2, .r3d, .ptx, .pef, .srw, .x3f, .der, .cer, .rtf, .wb2, .mdf, .dbf, .psd, .pdd, .eps, .ai, .crt, .pem, .pfx, .p12, .p7b, .p7c, .pdf, .odc, .srf, .sr2, .bay, .crw, .cr2, .dcr, .kdc, .erf, .png, .xml, .sql, .php, .asp, .aspx, .js, .css, .cs, .cpp, .hpp, .java, .class, .py, .pl, .veg, .aep, .aepx, .blend, .prproj, .cad, .tif, .sitx, .sit, .rmvb, .bmp, .pps, .pub, .qbb, .swf, .asf, .dss, .qxd, .3gp, .cdl, .mswmm, .ss, .eml, .csv
A sigh of relief when it comes to the Tox virus is that it does not delete Shadow Volume Copies, therefor it is possible to restore your files using a tool such as Shadow Explorer. Many other encryption viruses are much more aggressive when it comes to recovering data.
Tox virus Example
Attention The files in your PC are now encrypted. The only way to have them back, is to pay a ransom of 50.00$. How to pay You have to pay the ransom in bitcoins to the address XXX which has been reserved for you. Please note that the value of bitcoin is unstable and may change in the near future. The current amount of bitcoin to pay is 0.23 bitcoins (worth 50.00$).
How does Tox virus get onto a computer?
Tox ransomware as previously mentioned has been actively spreading inside email spam attachments; However, malicious files used to execute the ransomware and encrypt personal files may be found in other locations on the web including social media content, chat rooms, torrents, and other locations. Heck, your friend might try to infect your computer by sending you a bogus file.
How to remove Tox (Removal Instructions)
We recommend that you write down the toll free number below in case you run into any issues or problems while removing this infection. Our techs will kindly assist you with any problems.
Virus Removal Helpline
[button link=”tel:1-888-986-8411″ align=”center” bgcolor=”#ff0000″ hoverbgcolor=”#e31616″ hovertextcolor=”#ffffff” textcolor=”#ffffff” size=”large” style=”border” fullwidth=”true”]Click to call![/button]
1. Download and install the free or full version of Malwarebytes Anti-Malware software. The full version enables real-time protection to block malware and unwanted programs from infecting your computer, while the free version is just a free scan and removal tool.
[button link=”https://store.malwarebytes.org/342/cookie?affiliate=23046&redirectto=http%3a%2f%2fdownloads.malwarebytes.org%2ffile%2fmbam%2f&redirecthash=79CD12ECAB939D32967B5D05C6C86E32″ align=”center” bgcolor=”#ff0000″ hoverbgcolor=”#0015ff” hovertextcolor=”#ffffff” textcolor=”#ffffff” size=”large” style=”flat” fullwidth=”true”]Download Malwarebytes Free[/button][button link=”https://store.malwarebytes.org/342/?affiliate=23046&scope=checkout&cart=139724″ align=”center” bgcolor=”#ff0000″ hoverbgcolor=”#0015ff” hovertextcolor=”#ffffff” textcolor=”#ffffff” size=”large” style=”flat” fullwidth=”true”]Buy Premium Now[/button]
2. Open the Malwarebytes Anti-Malware program.
3. Click the large Scan Now button or visit the “Scan” tab to manually run a scan.
4. Once the malware scan is complete, click the Remove Selected button and reboot your computer.
Ransomware usually infects 1 user account on Windows systems at a time. Here are some tips to remove ransomware by using different user accounts.
- Log into an account not affected by malware (with administrative rights) and perform a scan with reputable software to detect and remove malware.
- You can also delete the infected account.
- Other options include creating a new user account to remove malware if only 1 Window’s user account is present on the computer system.
Safe Mode With Networking can be used to access the Internet for updates, drivers, removal software, or other files if internet and network connectivity is compromised.