Ransomware malware is becoming much more prevalent in 2015. New copycats and variants are coming out all the time. The creators of TOX ransomware took a different approach than previous…

Ransomware malware is becoming much more prevalent in 2015. New copycats and variants are coming out all the time. The creators of TOX ransomware took a different approach than previous creators of the earlier ransomware malware. They are not spreading the malicious payload themselves; they are instead offering a service aka Ransomware-as-a-Service (RaaS). This service allows users with very little technical expertise to create a customized TOX ransomware virus. To use the service you must access their website via the TOR network at toxic[redacted]qj.onion.

The creators profit by taking 30% of any ransom paid and dropping the remaining into your bitcoin wallet. After you create an account with TOX web services you can create your virus. You are able to set the ransom amount and add a custom message the users will see with the ransom instructions.

Management screenshot below shows the number of viruses you created, number of infected computers, number of ransoms paid, profit, and the interface to create another virus.


Now that you have easily created the customized TOX ransomware and downloaded it, it is up to the evil party on how to infect other systems. Phishing emails are the most common distribution method for older ransomware viruses and are still an easy access point for the bad guys to bypass several layers of defense. The payload is downloaded as a SCR file type, although this can be changed to several other executable file types such as EXE, COM, PIF, BAT (there are others as well).

After the payload is distributed and executed by a victim, several actions take place.

  • A TOR browser is downloaded from dist.torproject.org (
  • The victim computer communicates with a TOX hidden server via the TOR network.
  • Several necessary files are created by the malware.
  • The malware encrypts the users’ data and renames the files with a “toxcrypt” file extension.
  • Decrypt instructions file (TOX RANSOM.html) is placed on the desktop and automatically opened via iexplore.exe when the malware completes encrypting users’ data.
  • A log of all files encrypted is stored in the “Application Data” directory named tox.log


Dropped/Created Files

C:Documents and SettingstechApplication Datatox_tortor.zip

C:Documents and SettingstechApplication Datatox_torDataTorgeoip

C:Documents and SettingstechApplication Datatox_torDataTorgeoip6

C:Documents and SettingstechApplication Datatox_torTorlibeay32.dll

C:Documents and SettingstechApplication Datatox_torTorlibevent_core-2-0-5.dll

C:Documents and SettingstechApplication Datatox_torTorlibgcc_s_sjlj-1.dll

C:Documents and SettingstechApplication Datatox_torTorssleay32.dll

C:Documents and SettingstechApplication Datatox_torTorzlib1.dll

C:Documents and SettingstechApplication Datatox_torTorlibevent-2-0-5.dll

C:Documents and SettingstechApplication Datatox_torTorlibevent_extra-2-0-5.dll

C:Documents and SettingstechApplication Datatox_torTorlibssp-0.dll

C:Documents and SettingstechApplication Datatox_torTortor.exe

C:Documents and SettingstechApplication Datatorcached-certs

C:Documents and SettingstechApplication Datatorcached-microdescs

C:Documents and SettingstechApplication Datatorlock

C:Documents and SettingstechApplication Datatorcached-microdesc-consensus

C:Documents and SettingstechApplication Datatorcached-microdescs.new

C:Documents and SettingstechApplication Datatorstate

C:Documents and SettingstechApplication Datatox.log

C:Documents and SettingstechTOX RANSOM.html

C:Documents and SettingstechStart MenuProgramsStartupTox.scr


After the ransomware has finished its job it will display the “TOX RANSOM.html” file as shown below:


The screenshot shows the 1 million dollar ransom I decided on and the custom message “You must pay 1 Million Dollars to Zach or ELSE!!!”.

AV Detection rate

As of May 29, 2015, 14 out of 56 AV vendors have flagged this ransomware. Plenty of popular AV vendors are not blocking this threat such as McAfee, AVG, Avast, Microsoft, Kaspersky, and etc.




There is a chat for users who have registered with TOX. I have been monitoring it for several hours and found several users reporting they successfully had individuals pay the ransom. I strongly urge against paying any ransom, because you are funding the bad guys.

Screenshot below shows user “Jurex5” getting paid.


After observing the chat for several hours, I can tell by the language, context and questions that there are a lot of non-technical people taking part in this activity. Services like this may change the game for future malware. Previously if you did not have the technical expertise, you could at least pay for an exploit kit, which requires money up front. This type of service is free and only takes a percentage of the ransom if it is paid.



Basic Defense:

  • Maintain up to date software such as Adobe, Java, Silverlight, Microsoft updates. Popular exploit kits come packaged to exploit several of these vulnerabilities and I wouldn’t be surprised to see this virus packaged in.
  • Maintain up to date Antivirus definitions and perform regular scheduled scans.
  • Take caution when browsing the internet.
  • Be very careful when checking email. Do not click on links or open any attachments. This is the easiest way to bypass all of your defensive security layers.

Technical Defense:

  • Block execution and creation of tor.exe, tor.zip and all SCR file types. All popular malware have at least one variant using the SCR file type.
  • Monitor and alert if “TOX RANSOM.html” or any file types named “toxcrypt” are created.
  • Block communication to all TOR nodes and TOR proxies.
  • Block (TOR Exit note) and [dist.torproject.org] (TOR Browser download location).

Zach Havins is an Information Security and Incident Response Professional.

1 Comment

Leave a Reply