Privacy News In-Development Ransomware Encrypts while Pretending to be a Click Me Game

HeroCloudAntivirus

Level 2
Thread author
Verified
Oct 17, 2016
95
source: bleepingcomputer.com/news/security/in-development-ransomware-encrypts-while-pretending-to-be-a-click-me-game/


Yesterday, GData malware analyst Karsten Hahn discovered an in-development ransomware disguised as a click me game. When executed the ransomware will launch a screen that contains a Click Me button that a user chases around the screen with their mouse cursor while trying to click on it. In the background, though, the ransomware will be silently encrypting the data on the drive.
This ransomware is currently in-development, which means that it does not contain the full functionality required to make it a viable ransomware. For example, though it does encrypt a file, it currently only targets the file located at D:\ransom-flag.png. Any other files on a computer will not be affected by this ransomware.

Code:
       // Token: 0x06000007 RID: 7 RVA: 0x00002439 File Offset: 0x00000639
        public void DoJob()
        {
            this.Encrypt_file("D:\\ransom-flag.png");
        }

When encrypting files it will use AES encryption and encrypted files will have the .hacked extension appended to the filename.

As shown in the video above, when executed the ransomware will display a screen that pretends to be a click me game. As the user clicks on the button, it will show a different background screen.

click-me-game-free.png

Click Me Game Free
Eventually, if you click the button enough times or press enter, it will show the following ransom note screen.

ransom-note.png

Ransom Note Screen
Translated:

Alright my dear brother!!!
Enough free playing. Your files have been encrypted. Pay so much this much money so I can send you the password for your files.
I can be paid this much too cause I am very kind.
So move on I didn't raise the price.



The text of this ransom note is further indication that the malware is still in development because it does not contain any payment instructions such as an email address or payment site.

At this time this ransomware is currently not being distributed and there is a good chance it never will be. If this changes and someone encounters this ransomware in the wild, please let me know in the comments and we can further analyze the newer version for weaknesses.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top