WoXoTo Ransomware Locks Victim Systems

While analyzing new malware samples, we came across a novel addition to the Xorist family known as WoXoTo. WoXoTo operates as ransomware, a malicious software designed to encrypt files. Additionally, WoXoTo generates two ransom notes – it creates the "HOW TO DECRYPT FILES.txt" file and displays a pop-up message. Furthermore, it alters file names by appending the ".WoXoTo" extension.

The ransom note communicates to the victim that their files have undergone encryption, but reassures them not to panic, asserting that decryption is feasible upon payment of a ransom. The note specifies the payment method as Bitcoin, with the ransom amount fixed at 0.02 BTC.

Emphasizing the significance of accuracy, the note instructs the victim to confirm the correct Bitcoin address for payment, which is provided within the note. Following the payment, the victim is directed to contact the perpetrators through email at woxoto@tuta.io, using a specified subject line. Upon confirmation of payment, the attackers pledge to furnish a tutorial and decryption keys to enable the unlocking of the encrypted files.

WoXoTo Ransom Note Demands Bitcoin Payment

The full text of the WoXoTo ransom note reads as follows:

Hi, as you can see, all your files are encrypted.
Don't panic, you can decrypt them, you just have to pay me for the ransom.

Payment is made only by bitcoin, and the amount you have to pay is 0.02 BITCOIN
You can buy very easily from these sites:
www.localbitcoins.com
www.paxful.com

A list of several sites where you can buy bitcoin can be found here:
hxxps://bitcoin.org/en/exchanges

Make sure the address where you will send the bitcoin is: bc1q20q0xphyalwn6emjvd5xt5mc3a7tel08ldnfjq

After sending, contact us at this email address: woxoto@tuta.io
With this subject: -

After confirming the payment, you will receive a tutorial and the keys for decrypting the files.

How is Ransomware Similar to WoXoTo Distributed?

Ransomware, including WoXoTo, is typically distributed through various methods that exploit vulnerabilities in systems or trick users into inadvertently installing the malicious software. While specific distribution methods may vary, there are commonalities in how ransomware, including WoXoTo, is disseminated:

Phishing Emails:
Ransomware often spreads through phishing emails containing malicious attachments or links. These emails may appear legitimate, enticing recipients to click on links or open attachments, leading to the installation of the ransomware.

Malicious Links:
Cybercriminals may employ phishing websites or compromised legitimate sites to distribute ransomware. Users may unknowingly visit these sites, triggering the download and execution of the malicious code.

Exploit Kits:
Ransomware can be distributed through exploit kits, which target vulnerabilities in software or operating systems. When a user visits a compromised website, the exploit kit scans for vulnerabilities and delivers the ransomware payload.

Malvertising:
Malicious advertisements (malvertising) on legitimate websites can redirect users to websites hosting ransomware. Clicking on these ads may initiate the download and execution of the malicious code.

Watering Hole Attacks:
Cybercriminals may compromise websites that are frequently visited by a specific target group (such as employees of a particular organization). When users from the targeted group visit these compromised sites, they may inadvertently download ransomware.

Drive-by Downloads:
Ransomware can be delivered through drive-by downloads, where malware is automatically downloaded and executed when a user visits a compromised or malicious website without any user interaction.