Meet ‘Tox’: Ransomware for the Rest of Us

By on

The packaging of malware and malware-construction kits for cybercrime “consumers” has been a long-running trend. Various turnkey kits that cover remote access plus botnet plus stealth functions are available just about anywhere. Ransomware, though very prevalent, has not yet appeared in force in easy-to-deploy kits.

But now we have Tox–and it’s free.





While sifting though our stream of “dark web” data, McAfee Labs found Tox on May 19. It was updated on May 21 with a new FAQ and an updated design. But the core did not change.



Salient Points:

  • Tox is free. You just have to register on the site.
  • Tox is dependent on TOR and Bitcoin. That allows for some degree of anonymity.
  • The malware works as advertised.
  • Out of the gate, the standard of antimalware evasion is fairly high, meaning the malware’s targets would need additional controls in place (HIPS, whitelisting, sandboxing) to catch or prevent this.

Once you register for the product, you can create your malware in three simple steps.

  • Enter the ransom amount. (The site takes 20% of the ransom.)
  • Enter your “cause.”
  • Submit the captcha.




This process creates an executable of about 2MB that is disguised as a .scr file. Then the Tox “customers” distribute and install as they see fit. The Tox site (on the TOR network) will track the installs and profit. To withdraw funds, you need only supply a receiving Bitcoin address.


Upon execution, the malware encrypts the victims’ data and prompts them for the ransom, including the Bitcoin address for sending payment.







Technical Information

Although easy to use and functional, the malware appears to lack complexity and efficiency within the code.

Tox malware portable executable sections.

The developer has left several identifying strings within the code. Examples:

  • C:/Users/Swogo/Desktop/work/tox/cryptopp/secblock.h
  • C:/Users/Swogo/Desktop/work/tox/cryptopp/filters.h
  • C:/Users/Swogo/Desktop/work/tox/cryptopp/cryptlib.h
  • C:/Users/Swogo/Desktop/work/tox/cryptopp/simple.h

Tox-generated malware is compiled in MinGW and uses AES to encrypt client files via the Crypto++ library.  The Microsoft CryptoAPI is used for key generation.


Network Information

The malware first downloads Curl and the TOR client:

  • hxxp://
  • hxxp://

All downloaded files and artifacts are stored in the following path:

  • C:\Users\<username>\AppData\Roaming\

After execution, Tox will start TOR in SOCKS5 proxy mode with the following command-line parameters:

-socks5-hostname –data \


We don’t expect Tox to be the last malware to embrace this model. We also anticipate more skilled development and variations in encryption and evasion techniques.

One comment on “Meet ‘Tox’: Ransomware for the Rest of Us

Leave a Comment

Similar articles

If you’re a gamer, you know how important virtual currency is. It allows you to purchase new costumes and weapons to personalize your avatar. But how does one go about gaining virtual currency? Players complete in-game challenges and are rewarded with coins to spend in their virtual world. These challenges can be pretty difficult and ...
Read Blog
Holiday stress. Every year, come November, my resting heart rate starts to rise: the festive season is approaching. Not only is there so much to do but there’s so much to spend money on. There are presents to purchase, feasts to prepare and party outfits to buy. Throw in a holiday to fill the long ...
Read Blog
Cryptocurrency mining is the way transactions are verified and added to the public ledger, a database of all the transactions made around a particular piece of cryptocurrency. Cryptocurrency miners compile all of these transactions into blocks and try to solve complicated mathematical problems to compete with other miners for bitcoins. To do this, miners need ...
Read Blog